diff options
author | Murray Stokely <murray@FreeBSD.org> | 2010-01-31 22:36:14 +0000 |
---|---|---|
committer | Murray Stokely <murray@FreeBSD.org> | 2010-01-31 22:36:14 +0000 |
commit | 957bf65275290ef41774f7b3f7a88aff9c000bd6 (patch) | |
tree | 4daa269277d63b5cf0c2a59037621d3e7081cce1 /en_US.ISO8859-1/captions/2009 | |
parent | 97f909cf1732ec39cae4e5989cf04e612e44d491 (diff) | |
download | doc-957bf65275290ef41774f7b3f7a88aff9c000bd6.tar.gz doc-957bf65275290ef41774f7b3f7a88aff9c000bd6.zip |
Add transcripts for three additional conference talks from YouTube
Machine Translation and 1 pass of human editing hired through Amazon
Mechanical Turk.
Sponsored by: FreeBSD Foundation
Notes
Notes:
svn path=/head/; revision=35287
Diffstat (limited to 'en_US.ISO8859-1/captions/2009')
-rw-r--r-- | en_US.ISO8859-1/captions/2009/dcbsdcon/bejtlich-networksecurity.sbv | 4426 |
1 files changed, 4426 insertions, 0 deletions
diff --git a/en_US.ISO8859-1/captions/2009/dcbsdcon/bejtlich-networksecurity.sbv b/en_US.ISO8859-1/captions/2009/dcbsdcon/bejtlich-networksecurity.sbv new file mode 100644 index 0000000000..caa7460c7a --- /dev/null +++ b/en_US.ISO8859-1/captions/2009/dcbsdcon/bejtlich-networksecurity.sbv @@ -0,0 +1,4426 @@ +0:00:05.950,0:00:10.409 +So I’d like to thank Jason for inviting me. +I have to say I feel + +0:00:10.409,0:00:11.909 +woefully unprepared + +0:00:11.909,0:00:15.719 +all the stuff I’ve been listening to, you pretty +much have to be a kernel developer here + +0:00:15.719,0:00:18.549 +it's not even enough to be like a normal committer I imagine + +0:00:18.549,0:00:21.519 +um you have to have invented something really cool + +0:00:21.519,0:00:23.069 +I'm here as a user + +0:00:23.069,0:00:27.199 +to try to take the loser off of it + +0:00:27.199,0:00:31.260 +I didn’t even boot into the BSD side of my laptop so + +0:00:31.260,0:00:34.290 +no rocks thrown up here + +0:00:34.290,0:00:36.120 +I wanted to talk about actually + +0:00:36.120,0:00:39.820 +how many people here had some kind of security responsibility + +0:00:39.820,0:00:41.660 +okay so wow that’s interesting + +0:00:41.660,0:00:43.530 +okay so there are a lot of security people here + +0:00:43.530,0:00:46.500 +I usually speak to security audiences + +0:00:46.500,0:00:47.430 +when I speak in + +0:00:47.430,0:00:49.019 +or when I spoke before at + +0:00:49.019,0:00:52.340 +BSD conferences it was usually on something + +0:00:52.340,0:00:54.490 +something I was doing with BSD + +0:00:54.490,0:00:56.409 +for security purposes so I kind of + +0:00:56.409,0:00:59.610 +had that same theme for today + +0:00:59.610,0:01:01.350 +so what we’ll talk about + +0:01:01.350,0:01:03.610 +just so you know I am I worked in a variety +of + +0:01:03.610,0:01:06.560 +I was in the military where I learned all this stuff + +0:01:06.560,0:01:10.050 +I work in commercial industry defense contractors + +0:01:10.050,0:01:12.490 +I worked for a small start up + +0:01:12.490,0:01:14.550 +out of Connecticut + +0:01:14.550,0:01:17.240 +you might have heard of us + +0:01:17.240,0:01:22.110 +we’ve lost like three hundred billion in market cap over +the last year it’s been an exciting ride + +0:01:22.110,0:01:25.230 +the ads general electric we get three hundred thousand users + +0:01:25.230,0:01:28.360 +um just a few security issues as you might +imagine + +0:01:28.360,0:01:30.590 +company that size + +0:01:30.590,0:01:31.689 +but what I’m going to talk about + +0:01:31.689,0:01:34.040 +uh first of all I’ll just do sort of a + +0:01:34.040,0:01:36.149 +intro of how I think about security + +0:01:36.149,0:01:40.470 +and why it drived me down the road of having +devices that I’ll talk about + +0:01:40.470,0:01:42.280 +and I’ll + +0:01:42.280,0:01:45.970 +I’m open to any questions it’s funny I was actually sitting +in front of a couple of guys who were asking me + +0:01:45.970,0:01:47.330 +we were talking about + +0:01:47.330,0:01:50.200 +that some of the software I’ll talk about he didn’t even +realize it was me + +0:01:50.200,0:01:51.120 +sitting at front + +0:01:51.120,0:01:53.039 +so if any point you have questions about + +0:01:53.039,0:01:54.940 +how we do things why we do things + +0:01:54.940,0:01:56.320 +please let me know + +0:01:56.320,0:01:59.179 +what I’m going to describe isn’t exactly what I do +with general electric + +0:01:59.179,0:02:02.390 +or at least it's not officially what I do at general +electric + +0:02:02.390,0:02:06.950 +but you can imagine that I just don’t come up with +this stuff in a vacuum and then present it obviously + +0:02:06.950,0:02:07.559 +it's + +0:02:07.559,0:02:12.199 +based on what I think works in various environments + +0:02:12.199,0:02:15.979 +so my job title is director of incident response + +0:02:15.979,0:02:19.930 +and what I tell people that they usually think of +oil spills or + +0:02:19.930,0:02:24.479 +you know Hazmat or something like that +its information security incidents + +0:02:24.479,0:02:28.349 +and I like to say that I’m as close to the problem +as you possibly could be + +0:02:28.349,0:02:30.639 +right and we have project managers who are + +0:02:30.639,0:02:32.890 +trying to create risk equations + +0:02:32.890,0:02:37.230 +they're trying to figure out if I tweak this +knob it’ll result in more risk or less risk + +0:02:37.230,0:02:38.889 +I think that’s a whole bunch of + +0:02:38.889,0:02:40.069 +crap for the most part + +0:02:40.069,0:02:41.209 +%um + +0:02:41.209,0:02:46.189 +I deal with all the failures so I +deal with failure all around + +0:02:46.189,0:02:47.689 +I like to say that this + +0:02:47.689,0:02:51.709 +theory out there but the reality is when +okay you've got + +0:02:51.709,0:02:57.999 +dozens or hundreds or thousands of systems +that are compromised what do you do about that + +0:02:57.999,0:03:02.560 +so in some ways you might say that's actually +the worst possible place to do security is after it’s + +0:03:02.560,0:03:03.380 +failed but + +0:03:03.380,0:03:09.889 +in other ways maybe it's the best place because +you can see what's wrong and you can try to fix it + +0:03:09.889,0:03:14.539 +well you have to say what is security and I went +to the doctor one day and the doctor asked me questions + +0:03:14.539,0:03:15.469 +like well how do you feel + +0:03:15.469,0:03:17.629 +do you feel healthy + +0:03:17.629,0:03:19.190 +that's kind of like do you feel secure + +0:03:19.190,0:03:23.699 +so what is that even mean right I mean +if you think about health well you might say + +0:03:23.699,0:03:25.719 +how’s your blood pressure + +0:03:25.719,0:03:27.940 +well it’s under one hundred and twenty over eighty + +0:03:27.940,0:03:29.659 +that's sort of one data point + +0:03:29.659,0:03:33.119 +what about your cholesterol body mass index and so forth + +0:03:33.119,0:03:34.999 +the idea is that you have to measure something + +0:03:34.999,0:03:37.039 +and you have to get your data from somewhere + +0:03:37.039,0:03:40.040 +and what I find is that a lot of people who make +security decisions + +0:03:40.040,0:03:42.089 +are not getting data from anywhere + +0:03:42.089,0:03:43.559 +In fact + +0:03:43.559,0:03:45.450 +a lot of very high level security people + +0:03:45.450,0:03:48.560 +are getting data on the golf course when they're +talking to their fellow + +0:03:48.560,0:03:49.819 +CSIO’s about + +0:03:49.819,0:03:52.669 +hey what product are you buying from Cisco or this and that + +0:03:52.669,0:03:54.969 +and it’s completely disconnected from reality + +0:03:54.969,0:03:59.029 +and as a result nobody can tell whether they’re spending +any money on security that makes a difference + +0:03:59.029,0:04:00.339 +%um or how to get + +0:04:00.339,0:04:05.029 +how to get better + +0:04:05.029,0:04:08.849 +so like how many people here are sort of like involved in +federal security with like FISMA and stuff + +0:04:08.849,0:04:11.559 +like that that right + +0:04:11.559,0:04:12.510 +so I find all that to be the most frustrating thing possible + +0:04:12.510,0:04:15.409 +I don't deal with that because I’m in private industry + +0:04:15.409,0:04:18.889 +but I've commented on it quite a bit because I +have a blog + +0:04:18.889,0:04:22.469 +and I like to complain + +0:04:22.469,0:04:24.839 +so my feeling is that the FISMA folks + +0:04:24.839,0:04:27.910 +not be implement but the people who wrote the legislation +they tended + +0:04:27.910,0:04:29.889 +to focus on things like imput metrics + +0:04:29.889,0:04:30.930 +like do you have AV + +0:04:30.930,0:04:32.039 +do you have your patches + +0:04:32.039,0:04:34.499 +is the box configured properly + +0:04:34.499,0:04:35.889 +all those things of that nature + +0:04:35.889,0:04:39.610 +I call all those input metrics they really make no difference +as far as I'm concerned if you're truly trying to figure + +0:04:39.610,0:04:41.039 +out what the problem is + +0:04:41.039,0:04:42.510 +it's kind of like looking at a + +0:04:42.510,0:04:45.759 +sports teams let’s say an American football team + +0:04:45.759,0:04:47.240 +and you say well + +0:04:47.240,0:04:50.069 +input metrics would be like how tall are all the players + +0:04:50.069,0:04:51.939 +how fast do they run the forty + +0:04:51.939,0:04:53.330 +where did they go to school + +0:04:53.330,0:04:54.650 +you could look at all those things + +0:04:54.650,0:04:56.100 +but does that tell you what their + +0:04:56.100,0:04:58.549 +what their record was over the season + +0:04:58.549,0:05:01.250 +did they win the Super Bowl did they win their elite +championship + +0:05:01.250,0:05:03.669 +no those are those are all inputs right + +0:05:03.669,0:05:05.689 +I care about ouputs like + +0:05:05.689,0:05:08.810 +is this box is this box part of a bot net + +0:05:08.810,0:05:10.219 +no it’s not really Windows + +0:05:10.219,0:05:12.560 +%um + +0:05:12.560,0:05:13.900 +I could boot it into Windows but + +0:05:13.900,0:05:16.559 +I prefer to stay out of the bot net + +0:05:16.559,0:05:18.259 +did you + +0:05:18.259,0:05:22.669 +have an earnings report appear on the network share or +on a peer-to-peer network somewhere + +0:05:22.669,0:05:25.949 +that's that's an ouput that means you had a failure somewhere + +0:05:25.949,0:05:28.069 +do you have a system or network that’s unavailable + +0:05:28.069,0:05:29.720 +due to a Ddos attack + +0:05:29.720,0:05:31.060 +these are all outputs so + +0:05:31.060,0:05:32.710 +I try to focus on these + +0:05:32.710,0:05:36.459 +I really don't care so much about that I think +these can influence these + +0:05:36.459,0:05:40.539 +these are the things that I I care about + +0:05:40.539,0:05:44.129 +and just to step a +little bit out and change the way you might think + +0:05:44.129,0:05:48.619 +about this there was a good article in The Economist last +year where they talked about people who are + +0:05:48.619,0:05:49.410 +trying to make + +0:05:49.410,0:05:50.949 +policy decisions + +0:05:50.949,0:05:53.150 +about health policy in Africa + +0:05:53.150,0:05:55.500 +and it's a safe thing with security + +0:05:55.500,0:05:58.349 +right actually kind of what I like about seeing the +developers here is that in the last talk there was + +0:05:58.349,0:06:01.030 +lots of discussions about + +0:06:01.030,0:06:05.289 +you made this change and you get a five percent difference +or you made this change and you get a ten percent difference + +0:06:05.289,0:06:07.019 +none of that happens in security + +0:06:07.019,0:06:09.249 +it's all well we’ll deploy this and see what happens + +0:06:09.249,0:06:12.129 +actually it’s not even that we’ll deploy this + +0:06:12.129,0:06:13.900 +not even let's see what happens + +0:06:13.900,0:06:16.000 +there’s not even a test to see if it made any difference + +0:06:16.000,0:06:17.230 +so what I try to + +0:06:17.230,0:06:18.640 +focus on in my job + +0:06:18.640,0:06:20.739 +at GE is + +0:06:20.739,0:06:22.489 +let's do some tests like + +0:06:22.489,0:06:24.120 +the company is big enough + +0:06:24.120,0:06:26.680 +why don't we have part of the company + +0:06:26.680,0:06:27.699 +run + +0:06:27.699,0:06:29.539 +with no local admin on the desktop + +0:06:29.539,0:06:31.309 +and another part + +0:06:31.309,0:06:34.060 +continuing to run its local admin I didn’t say that +out loud sorry + +0:06:34.060,0:06:36.139 +and then compare and see what the infection rates are + +0:06:36.139,0:06:39.449 +and guess what I bet the ones with local admin +are going to be a hell of a lot worse + +0:06:39.449,0:06:42.199 +and there’s been some recent studies that have +shown that that's the case + +0:06:42.199,0:06:44.780 +so you can run these sort of policy-based trials + +0:06:44.780,0:06:46.100 +and figure out what you should do + +0:06:46.100,0:06:47.880 +then I can go talk to my boss and be like look + +0:06:47.880,0:06:51.900 +this part of the company that runs with local admin +they’re ten times worse than everybody else + +0:06:51.900,0:06:54.849 +and even better I can say it's costing us ten +times more + +0:06:54.849,0:06:56.529 +then we can make a change + +0:06:56.529,0:06:57.770 +but in order to do that you have to have + +0:06:57.770,0:06:58.740 +some kind of measurements + +0:06:58.740,0:07:01.349 +you’re going to have data come from somewhere + +0:07:01.349,0:07:04.810 +and I like to say that I call this management +by fact not by belief + +0:07:04.810,0:07:06.479 +the there's a lot like + +0:07:06.479,0:07:08.860 +security people are very religious + +0:07:08.860,0:07:09.589 +we have this + +0:07:09.589,0:07:11.819 +idea of what should be and what shouldn’t be + +0:07:11.819,0:07:18.049 +and it's all because we don't think usually +measure what works which is unfortunate + +0:07:18.049,0:07:21.770 +so I’m all about visibility I want to find out what's +going on + +0:07:21.770,0:07:24.939 +and the reason I think about it this way is +I think in the air force + +0:07:24.939,0:07:26.990 +we have this thing called OODA loop + +0:07:26.990,0:07:31.849 +and if you’ve ever seen my hands doing this it’s because +I'm reliving my air force days flying around in my F-16 + +0:07:31.849,0:07:35.000 +not really I only flew once in the F-16 and +once in the F-15 + +0:07:35.000,0:07:35.770 +but + +0:07:35.770,0:07:39.219 +when I would talk to the fighter pilots they would talk +about having this thing the OODA loop + +0:07:39.219,0:07:41.400 +and it came out + +0:07:41.400,0:07:43.539 +like I’m thinking before the first gulf war + +0:07:43.539,0:07:45.270 +and the idea was you’re in your + +0:07:45.270,0:07:46.599 +F-16 + +0:07:46.599,0:07:48.110 +and you want to win the fight so + +0:07:48.110,0:07:50.159 +the first thing you do is look out the window + +0:07:50.159,0:07:51.389 +you see what's going on + +0:07:51.389,0:07:52.999 +that's your observation + +0:07:52.999,0:07:57.409 +and then you orient and you figure out well where am +I in relation to where the bad guys are + +0:07:57.409,0:08:02.359 +then you make a decision like okay is there’s a bad guy +I better roll over and shoot it down + +0:08:02.359,0:08:04.269 +and then you take the action + +0:08:04.269,0:08:06.009 +the problem we have with security + +0:08:06.009,0:08:06.849 +is that + +0:08:06.849,0:08:07.930 +there's none of this + +0:08:07.930,0:08:09.269 +there’s no observe and orient + +0:08:09.269,0:08:11.749 +there’s only decide and act + +0:08:11.749,0:08:13.549 +so we have no idea what's happening + +0:08:13.549,0:08:16.030 +but we're told that to do things so we buy stuff + +0:08:16.030,0:08:16.930 +we deploy it + +0:08:16.930,0:08:18.699 +and we just keep doing that over and over again + +0:08:18.699,0:08:22.679 +and we never figure out if it makes any difference + +0:08:22.679,0:08:24.219 +the unfortunate thing is if you do + +0:08:24.219,0:08:27.599 +stumble upon something that works it's +usually luck + +0:08:27.599,0:08:29.809 +%uh as opposed to + +0:08:31.029,0:08:37.780 +figuring it out by observation and orientation +what you should be doing + +0:08:37.780,0:08:41.870 +so this is probably my favorite description + +0:08:41.870,0:08:45.120 +of security period + +0:08:45.120,0:08:49.830 +my aplogies to my European friends this +is the football poll security + +0:08:49.830,0:08:54.710 +but this is what I believe that I've seen +this just for years and years and years + +0:08:54.710,0:08:56.919 +the idea is you’re told + +0:08:56.919,0:08:58.750 +or you read in a magazine + +0:08:58.750,0:09:00.660 +or you talk to your buddy + +0:09:00.660,0:09:02.180 +about something bad + +0:09:02.180,0:09:06.090 +and you assume that that bad thing that's +happening it must be happening at your location + +0:09:06.090,0:09:06.540 +too + +0:09:06.540,0:09:09.190 +and sometimes it is but sometimes it isn’t + +0:09:09.190,0:09:12.330 +and so you run around and you spend all this time +on one area + +0:09:12.330,0:09:15.680 +while meanwhile you could be completely all about +something different + +0:09:15.680,0:09:19.650 +and I first started thinking about this in 2000 2001 + +0:09:19.650,0:09:21.800 +where there were some guys in Finland + +0:09:21.800,0:09:27.060 +who did this huge innumeration they were doing some of the +first fuzzing work against SMTP + +0:09:27.060,0:09:27.849 +it was called the + +0:09:27.849,0:09:29.000 +protos toolkit + +0:09:29.000,0:09:32.140 +and they did all this work in and they found that +basically everybody's SMTP + +0:09:32.140,0:09:33.970 +implementation was really bad + +0:09:33.970,0:09:35.640 +and they were all vulnerable + +0:09:35.640,0:09:37.430 +and the whole world was going to end because + +0:09:37.430,0:09:40.610 +SMTP vulnerabilities existed everywhere + +0:09:40.610,0:09:43.769 +well I don’t know if everybody was around back then +so they're looking at these things + +0:09:43.769,0:09:45.470 +but did the world end in 2001 + +0:09:45.470,0:09:47.690 +with SMTP + +0:09:47.690,0:09:48.940 +absolutely not + +0:09:48.940,0:09:51.259 +so while a lot of effort was spent on + +0:09:51.259,0:09:54.350 +spending all this time fixing SMTP implementations + +0:09:54.350,0:09:55.750 +when the bad guys really weren’t + +0:09:55.750,0:09:57.240 +taking advantage of it + +0:09:57.240,0:10:00.740 +so this is what I feel like is happening with +security now we're told about + +0:10:00.740,0:10:03.340 +this is the one that really kills me is + +0:10:03.340,0:10:04.769 +insider threats + +0:10:04.769,0:10:05.819 +oh they’re insider threats they're so bad + +0:10:05.819,0:10:08.890 +this in that and so you spend all your time over +here and you’re like + +0:10:08.890,0:10:13.750 +paying attention to your own employees you’re violating +their rights and their privacy + +0:10:13.750,0:10:15.100 +and meanwhie you got like + +0:10:15.100,0:10:16.899 +Romanians and Russians and Chinese and + +0:10:16.899,0:10:17.829 +every other + +0:10:17.829,0:10:20.380 +hacker in the world inside your company + +0:10:20.380,0:10:21.980 +that you can't do anything about + +0:10:21.980,0:10:25.590 +unless you know unless you actually do something + +0:10:25.590,0:10:28.030 +so my goal is to + +0:10:28.030,0:10:30.819 +get it so this guy he's looking at the right +spot + +0:10:30.819,0:10:33.040 +so at least he has a chance + +0:10:33.040,0:10:36.010 +right he doesn’t even have a chance if he’s looking +over there at least if you can sort of + +0:10:36.010,0:10:38.279 +orient and say okay well here’s this threat + +0:10:38.279,0:10:40.210 +here's what I need to do about it + +0:10:40.210,0:10:42.430 +you have a chance you still might get scored on right + +0:10:42.430,0:10:43.830 +but at least you can say + +0:10:43.830,0:10:47.330 +I had a fighting chance many organizations +when I was a consultant + +0:10:47.330,0:10:48.619 +I would drop into + +0:10:48.619,0:10:51.690 +and they didn't even have a fighting chance +there was just no + +0:10:51.690,0:10:56.310 +I would call them you know indefensible networks + +0:10:56.310,0:11:01.160 +to use a Cisco term I would call them self-defeating networks + +0:11:01.160,0:11:06.490 +self-defending anyway + +0:11:06.490,0:11:12.610 +yeah + +0:11:12.610,0:11:16.890 +the network part of ours sure + +0:11:16.890,0:11:19.110 +so yeah isn’t it interesting the self-defending network what +does that imply zero head count + +0:11:19.110,0:11:21.089 +that is the truth behind Cisco's vision + +0:11:21.089,0:11:23.370 +and think about it they sell it to every CIO + +0:11:23.370,0:11:25.080 +the CIO is like yeah + +0:11:25.080,0:11:27.970 +the network takes care of itself + +0:11:27.970,0:11:31.990 +oh yeah that means you you you you bye bye + +0:11:31.990,0:11:33.890 +and that's sort of the model that + +0:11:33.890,0:11:34.980 +I mean think about it + +0:11:34.980,0:11:37.140 +what business owner with would + +0:11:37.140,0:11:39.720 +not want to operate zero staff + +0:11:39.720,0:11:41.290 +if you could still make money + +0:11:41.290,0:11:43.050 +and no people + +0:11:43.050,0:11:43.930 +oh that's great + +0:11:43.930,0:11:49.920 +maybe you just have robots or something right don't they +don’t complain + +0:11:49.920,0:11:50.850 +So anwyay wow + +0:11:50.850,0:11:51.909 +that came out of nowhere + +0:11:51.909,0:11:53.300 +but %uh + +0:11:53.300,0:11:56.449 +that's what I see with a lot of things is a %uh + +0:11:56.449,0:11:58.980 +presumption that you just buy products right you +don't actually + +0:11:58.980,0:12:00.960 +invest in people so + +0:12:00.960,0:12:03.049 +back to this whole idea of visibility the question is + +0:12:03.049,0:12:04.089 +well where should you try to get visibility + +0:12:05.259,0:12:07.750 +and I’ll talk about what kind of visibility + +0:12:07.750,0:12:11.680 +well the model that I use is to establish trust +boundaries first and what’s interesting about + +0:12:11.680,0:12:13.160 +using a trust boundary approach is + +0:12:13.160,0:12:14.420 +it can apply anywhere + +0:12:14.420,0:12:16.910 +I use a network example here because + +0:12:16.910,0:12:19.170 +it's a low-cost way to do it + +0:12:19.170,0:12:21.220 +but you can apply trust boundaries + +0:12:21.220,0:12:22.790 +on a system + +0:12:22.790,0:12:24.010 +within an application + +0:12:24.010,0:12:26.400 +I mean there’s lots of different places that you can apply +trust boundaries + +0:12:26.400,0:12:28.849 +the idea is though once you establish trust boundaries + +0:12:28.849,0:12:29.829 +start watching + +0:12:29.829,0:12:31.150 +something there + +0:12:31.150,0:12:33.010 +so I’m going to use a network example but you could + +0:12:33.010,0:12:35.540 +you know apply it someplace else + +0:12:35.540,0:12:37.050 +so what I do is I + +0:12:37.050,0:12:39.600 +the general process is I identify my trust boundaries + +0:12:39.600,0:12:41.280 +I apply some instrumentation + +0:12:41.280,0:12:43.620 +and then I collect analyse and escalate + +0:12:43.620,0:12:46.000 +%uh collect meaning I get the information + +0:12:46.000,0:12:48.420 +analyse I look at it figure out what it means + +0:12:48.420,0:12:48.889 +escalate + +0:12:48.889,0:12:53.920 +is take it to somebody who cares + +0:12:53.920,0:12:57.420 +surprisingly difficult to find those people +in many + +0:12:57.420,0:12:57.980 +enterprises + +0:12:57.980,0:13:00.020 +I came from the DOD where + +0:13:00.020,0:13:02.649 +if we found a single machine that was compromised + +0:13:02.649,0:13:03.730 +that was an incident + +0:13:03.730,0:13:05.889 +and it could be reported all the way up to some +general + +0:13:05.889,0:13:07.339 +who would be on the phone + +0:13:07.339,0:13:10.580 +like barking orders that you need to fix this +within + +0:13:10.580,0:13:12.440 +hours or days or whatever it was + +0:13:12.440,0:13:14.250 +to private industry + +0:13:14.250,0:13:15.100 +where + +0:13:15.100,0:13:17.660 +you finding a compromise computer + +0:13:17.660,0:13:22.200 +and the response could be + +0:13:22.200,0:13:23.370 +eh what can they do + +0:13:23.370,0:13:26.790 +well they can access any machine that’s in this domain + +0:13:26.790,0:13:28.220 +well have they + +0:13:28.220,0:13:33.670 +%uh because I just got here I can't tell yet + +0:13:33.670,0:13:35.949 +I really don't know if we have to care about +this right + +0:13:35.949,0:13:39.520 +the only thing that’s changed that recently has been the +disclosure laws + +0:13:39.520,0:13:44.180 +because there are some disclosure laws that say if +it's possible that they could have stolen the data + +0:13:44.180,0:13:45.300 +you need to report + +0:13:45.300,0:13:47.570 +so that's changed the equation + +0:13:47.570,0:13:48.140 +dramatically + +0:13:48.140,0:13:52.940 +right it used to be in fact I worked some big +cases years ago where it was like + +0:13:52.940,0:13:56.940 +well you guys signed an NDA with us right yeah we +did + +0:13:56.940,0:13:58.120 +right well just bye bye + +0:13:58.120,0:13:59.860 +see you later + +0:13:59.860,0:14:02.270 +okay great alright well I’m glad I’m not a customer + +0:14:02.270,0:14:08.190 +at this place + +0:14:08.190,0:14:12.019 +I didn’t responded there I bank with Bank of America and the +reason I bank with Bank of America + +0:14:12.019,0:14:13.980 +is I know the guy who runs security there + +0:14:13.980,0:14:16.100 +and he does this + +0:14:16.100,0:14:17.340 +so of course + +0:14:17.340,0:14:18.640 +I still think he has a job + +0:14:18.640,0:14:19.739 +now that I think about it + +0:14:19.739,0:14:21.390 +has he been replaced by a robot + +0:14:22.410,0:14:24.490 +no he hasn’t been replaced by a robot + +0:14:24.490,0:14:26.810 +maybe his minions have been replaced by + +0:14:26.810,0:14:28.590 +Perl strips but + +0:14:28.590,0:14:32.010 +he’s still there + +0:14:32.010,0:14:34.010 +so this is my general process + +0:14:35.130,0:14:38.570 +and it’s funny people have probably heard about building security in + +0:14:38.570,0:14:42.620 +that's like trying to make things more secure +have been trying to do that for like twenty years + +0:14:42.620,0:14:44.240 +it just doesn't work + +0:14:44.240,0:14:48.910 +so I would say let’s monitor first because at least when you monitor you can tell that something bad is happening + +0:14:48.910,0:14:52.000 +if you just say build security in and walk away + +0:14:52.000,0:14:52.730 +then you’re in trouble + +0:14:52.730,0:14:56.250 +what I find is that in any product you have +this cycle + +0:14:56.250,0:14:59.020 +where you start out with a feature + +0:14:59.020,0:15:03.140 +and then the features proliferate and you need to manage them + +0:15:03.140,0:15:06.689 +and then somebody’s like oh yeah we need to apply +some security to that + +0:15:06.689,0:15:10.150 +and then finally check to see if it works when really +it should be the other way + +0:15:10.150,0:15:11.500 +figure out what’s out there + +0:15:11.500,0:15:13.230 +build a security policy for it + +0:15:13.230,0:15:14.080 +manage it + +0:15:14.080,0:15:19.330 +and then introduce the feature but that's +not how it’s done + +0:15:19.330,0:15:23.340 +I wanted to mention here some I just want +to put this on the table before I go into my + +0:15:23.340,0:15:24.970 +next part because these are they + +0:15:24.970,0:15:26.800 +%uh criticisms I usually hear + +0:15:26.800,0:15:31.220 +so let's just mention them now so if I’m taking some kind of +a network-centric approach to + +0:15:31.220,0:15:32.460 +security + +0:15:32.460,0:15:35.090 +the first thing we’re always told is well what about the +cloud + +0:15:35.090,0:15:39.440 +and this is very interesting %uh I work really +closely with the guy does the cloudsecurity.org + +0:15:39.440,0:15:40.870 +blog + +0:15:40.870,0:15:44.800 +and %uh he's he's a fellow employee with +me is that we always considering this because + +0:15:44.800,0:15:45.380 +we’re + +0:15:45.380,0:15:48.260 +putting more and more of our stuff in the cloud + +0:15:48.260,0:15:49.140 +and if your + +0:15:49.140,0:15:50.630 +window to the cloud + +0:15:50.630,0:15:53.530 +is an SSL encrypted pipe + +0:15:53.530,0:15:58.430 +%um it doesn't help me too much to inpsect it at the +network level right + +0:15:58.430,0:16:00.129 +so we're going to have to push our cloud vendors + +0:16:00.129,0:16:02.769 +to provide the visibility for us + +0:16:02.769,0:16:04.650 +oh boy that’s really happening + +0:16:04.650,0:16:10.110 +try getting good logs out of any of the cloud buyers +it is absolutely horrible they they don't + +0:16:10.110,0:16:14.150 +they don't want to store them they don't want +to provide you the data in any format that’s useful + +0:16:14.150,0:16:17.710 +if they provide you with anything it's generally +performance metrics like + +0:16:17.710,0:16:20.580 +we cleaned ten billion of your emails today + +0:16:20.580,0:16:23.159 +oh that’s wonderful that’s great you know I don’t care + +0:16:23.159,0:16:24.660 +I don’t care how many emails you cleaned + +0:16:24.660,0:16:26.660 +I want to know about + +0:16:26.660,0:16:28.660 +which ones came from this + +0:16:28.660,0:16:30.650 +%uh a person who + +0:16:30.650,0:16:32.519 +was phishing us + +0:16:32.519,0:16:36.600 +and you know got control of some of our systems and +so forth + +0:16:36.600,0:16:38.400 +virtualisation is obviously an issue + +0:16:38.400,0:16:40.100 +%um if you think about + +0:16:40.100,0:16:42.290 +in a one-machine + +0:16:42.290,0:16:43.230 +one + +0:16:43.230,0:16:44.460 +platform world + +0:16:44.460,0:16:47.260 +any time two machines talk you can potentially see the +traffic + +0:16:47.260,0:16:50.370 +what happens when you have a hundred machines all on one +platform + +0:16:50.370,0:16:54.350 +unless you instrument the virtual machine +itself + +0:16:54.350,0:16:57.539 +you know one hundred machines could all be infected an +talking to each other and stuff but + +0:16:57.539,0:16:59.219 +the way I deal with that is + +0:16:59.219,0:17:01.649 +unless the bad guy is also inside the VM + +0:17:01.649,0:17:03.370 +like he lives in it + +0:17:03.370,0:17:07.810 +you can see him because generally the people +you care about are on another continent + +0:17:07.810,0:17:08.590 +so + +0:17:08.590,0:17:09.490 +I mean it could be + +0:17:09.490,0:17:11.390 +somewhere else in the united states obviously but for + +0:17:11.390,0:17:14.449 +the most part like if someone were to compromise +my machine + +0:17:14.449,0:17:16.439 +unless they physically walk up to it and touch it + +0:17:16.439,0:17:19.040 +there will be some network traffic that reaches out + +0:17:19.040,0:17:19.959 +and generally that’s enough + +0:17:19.959,0:17:22.339 +to tell that there’s a problem + +0:17:22.339,0:17:28.080 +so maybe the fastest way to tell if there’s a +kernel rootkit on a system + +0:17:28.080,0:17:29.720 +it’s for the system to look normal + +0:17:29.720,0:17:32.380 +but to have it to be beaconing out to + +0:17:32.380,0:17:34.160 +you know take your pick of rogue country + +0:17:34.160,0:17:37.560 +so that that's a very effective way to +use to find stuff + +0:17:37.560,0:17:41.020 +And of course you’ve got your non-traditional +platforms + +0:17:41.020,0:17:43.580 +you know I’ve got my Blackberry here I absolutely love it + +0:17:43.580,0:17:46.910 +but I would love to be able sniff the traffic +going to and from it + +0:17:46.910,0:17:47.270 +because + +0:17:47.270,0:17:50.690 +who knows who’s sitting on my Blackberry right now + +0:17:50.690,0:17:51.650 +I really don't know + +0:17:51.650,0:17:52.550 +and that kills me + +0:17:52.550,0:17:53.889 +it kills me kills me kills me + +0:17:53.889,0:17:55.090 +that I cannot + +0:17:55.090,0:17:57.809 +find an interface sniff traffic on it and see +what's happening + +0:17:57.809,0:18:00.080 +or somehow get between the wireless + +0:18:00.080,0:18:03.670 +watch the traffic and see what's happening + +0:18:03.670,0:18:06.110 +so that to me it's a big issue + +0:18:06.110,0:18:08.399 +and we’ve got all these crazy European privacy laws + +0:18:08.399,0:18:11.690 +I can’t collect anything in that whole continent + +0:18:11.690,0:18:13.690 +not true it kills me though it's kind of difficult + +0:18:13.690,0:18:15.830 +%um you’ve got this tension between + +0:18:15.830,0:18:20.570 +%uh it's interesting Europeans tend to have very +strong collection laws like you have to keep logs for a + +0:18:20.570,0:18:22.380 +certain period of time + +0:18:22.380,0:18:24.830 +but at the same time they have very strong privacy laws + +0:18:24.830,0:18:27.760 +so this is a tension there + +0:18:27.760,0:18:29.870 +skilled resources I don't know about you but +it + +0:18:29.870,0:18:33.410 +even with the downturn it's tough to find +good security people I think + +0:18:33.410,0:18:36.540 +there's a lot of people who come out with +their Cisco certified + +0:18:36.540,0:18:37.410 +whatever + +0:18:37.410,0:18:39.330 +and they don't know the first thing about + +0:18:39.330,0:18:42.420 +how to actually secure anything which is tough + +0:18:42.420,0:18:46.270 +and then finally we see this quite often in software + +0:18:46.270,0:18:47.149 +security space + +0:18:47.149,0:18:49.820 +a lot of the tools that are out there were +built for + +0:18:49.820,0:18:50.370 +developers + +0:18:50.370,0:18:52.850 +and for performance and not for security + +0:18:52.850,0:18:54.470 +So you see people using tools + +0:18:54.470,0:19:00.280 +to disassemble malware that were built +for reverse engineering for software purposes + +0:19:00.280,0:19:04.150 +and not for security purposes + +0:19:04.150,0:19:05.960 +anyway so what I’m going to talk about briefly + +0:19:05.960,0:19:06.980 +is not new + +0:19:06.980,0:19:08.840 +I was actually cleaning out + +0:19:08.840,0:19:11.240 +an old drive and I found this presentation + +0:19:11.240,0:19:13.120 +from 2000 + +0:19:13.120,0:19:16.150 +I used to give this briefing when I was in + +0:19:16.150,0:19:18.250 +the air force cert + +0:19:18.250,0:19:20.510 +and we would talk about the history of our +unit + +0:19:20.510,0:19:22.520 +and back in 1993 + +0:19:22.520,0:19:25.910 +we were deploying what we call network security +monitoring systems + +0:19:25.910,0:19:26.720 +and + +0:19:26.720,0:19:28.810 +the NSN term + +0:19:28.810,0:19:29.309 +comes from + +0:19:29.309,0:19:33.490 +the first network based IDS that taught + +0:19:33.490,0:19:35.400 +he wrote it in UC Davis in ‘89 + +0:19:35.400,0:19:39.520 +so this is wow that’s twenty years I feel +freaking old right now + +0:19:39.520,0:19:39.979 +it’s amazing + +0:19:39.979,0:19:40.820 +so + +0:19:40.820,0:19:44.170 +so this is not a new thing and I wrote a book about this +in 2004 so + +0:19:44.170,0:19:45.230 +that's five years + +0:19:45.230,0:19:46.540 +ago now so + +0:19:46.540,0:19:50.470 +this is not new the funny thing is vendors +is finally start to catch up with it + +0:19:50.470,0:19:56.750 +and they call them network forensic appliances +and they charge you fifty thousand dollars + +0:19:56.750,0:20:02.110 +for the enterprise that’s right + +0:20:02.110,0:20:04.870 +yeah enterprise means expensive + +0:20:04.870,0:20:06.260 +I like that + +0:20:06.260,0:20:07.480 +that’s good + +0:20:07.480,0:20:09.100 +and GUI that's right + +0:20:09.100,0:20:13.610 +and somebody you can complain to who can’t really answer +your problems + +0:20:13.610,0:20:17.320 +alright so I present this because I don’t want to take credit +for this approach + +0:20:18.649,0:20:19.789 +because + +0:20:19.789,0:20:22.590 +people we were doing this I came in around here + +0:20:22.590,0:20:24.210 +but we were doing this earlier + +0:20:24.210,0:20:27.480 +so I learned from people who invented this stuff + +0:20:27.480,0:20:30.779 +you know wow that's like fifteen years ago + +0:20:30.779,0:20:35.279 +alright so why network censors + +0:20:35.279,0:20:40.080 +I have to say some of the artwork I saw in these +presentations were so awesome I feel that mine’s + +0:20:40.080,0:20:40.800 +terrible I mean it was + +0:20:40.800,0:20:45.840 +the lego stuff that was great I need to do like a +little lego pyramid + +0:20:45.840,0:20:48.000 +I really like that but this is different + +0:20:50.210,0:20:55.030 +I wondered where you got your bricks from I have to like +raid my kids lego + +0:21:05.990,0:21:07.820 +that is funny that is good though I’m a visual + +0:21:07.820,0:21:13.250 +I was right in there with the bricks + +0:21:13.250,0:21:14.179 +so + +0:21:14.179,0:21:19.730 +I call this my top security enterprise trust pyramid + +0:21:19.730,0:21:24.180 +I ripped this out of something I used to do when +I was a consultant + +0:21:24.180,0:21:26.990 +and basically it’s a justification for why it’s good to have +network censors and the idea is this + +0:21:26.990,0:21:28.980 +this is the least trusted part and this is the most trusted + +0:21:31.419,0:21:34.279 +that's low user interaction and this is high user interaction + +0:21:34.279,0:21:36.769 +and this also in terms of the numbers of devices + +0:21:36.769,0:21:39.059 +so in an enterprise you tend to have the most + +0:21:39.059,0:21:40.630 +user platforms + +0:21:40.630,0:21:43.840 +desktops laptops phones all that kind of stuff + +0:21:43.840,0:21:45.980 +above that you have servers + +0:21:45.980,0:21:47.550 +above that you have infrastructure + +0:21:47.550,0:21:53.920 +%um routers firewalls things like that and above +that you have censors + +0:21:53.920,0:21:55.550 +so I trust these the least + +0:21:55.550,0:21:56.350 +because + +0:21:56.350,0:21:57.920 +well because there are these + +0:21:57.920,0:21:59.390 +users + +0:21:59.390,0:22:01.800 +right and users are doing things like + +0:22:01.800,0:22:03.440 +interacting with the system + +0:22:03.440,0:22:06.229 +if they didn’t interact with the system I would +probably trust it more + +0:22:06.229,0:22:08.090 +but because they’re on the system + +0:22:08.090,0:22:09.950 +they could be running as an admin + +0:22:09.950,0:22:11.850 +they're going to all these + +0:22:11.850,0:22:13.620 +you know malicious web sites + +0:22:13.620,0:22:15.770 +even normal web sites + +0:22:15.770,0:22:18.940 +that have been owned or are injecting malicious job descripts +or whatever + +0:22:18.940,0:22:21.430 +so the more user interaction there is + +0:22:21.430,0:22:24.889 +the less likely I’m going to trust what +the system tells me + +0:22:24.889,0:22:26.600 +so why get on a system and I say + +0:22:26.600,0:22:29.680 +tell me how you're feeling you know what your +state + +0:22:29.680,0:22:34.190 +I'm not going to trust that system eighty +is generally worthless + +0:22:34.190,0:22:36.960 +you have to get outside of the this is +the key point + +0:22:36.960,0:22:41.070 +you have to get away from these things you +have to get outside the system to get of you + +0:22:41.070,0:22:41.970 +whether or not + +0:22:41.970,0:22:43.520 +you should trust it + +0:22:43.520,0:22:44.750 +but that's not the case right + +0:22:44.750,0:22:49.260 +we're moving more and more to pushing all the security +down to the end point + +0:22:49.260,0:22:50.560 +so like my laptop defends itself + +0:22:50.560,0:22:52.380 +my phone defends itself + +0:22:52.380,0:22:53.869 +guess what if they fail + +0:22:53.869,0:22:56.950 +the whole model fails as well + +0:22:56.950,0:23:00.110 +so above this we have servers I +trust servers a little bit more + +0:23:00.110,0:23:01.710 +because if you're a good admin + +0:23:01.710,0:23:03.019 +you're not surfing + +0:23:03.019,0:23:06.370 +MySpace on your Windows server + +0:23:06.370,0:23:08.070 +right well you’re not on a Windows server + +0:23:08.070,0:23:13.590 +but well you can admin on a Windows server +but you know what I mean + +0:23:13.590,0:23:16.710 +well because I think that's right that's true + +0:23:16.710,0:23:18.960 +above that you have infrastructure + +0:23:18.960,0:23:20.140 +no one should be + +0:23:20.140,0:23:21.530 +in general + +0:23:21.530,0:23:24.050 +like no user is directly + +0:23:24.050,0:23:25.450 +dealing with a firewall + +0:23:25.450,0:23:27.309 +if a user is logging into a firewall + +0:23:27.309,0:23:28.980 +there’s a problem right + +0:23:28.980,0:23:32.080 +a user doesn't necessarily log into a server but he uses +services on the server right + +0:23:32.080,0:23:34.840 +so I tend to trust this even more + +0:23:34.840,0:23:38.330 +because you just can't touch them + +0:23:38.330,0:23:43.230 +the number of people who deal with the infrastructure in +general is smaller than the number of people who deal +with servers + +0:23:43.230,0:23:46.150 +and in many cases the infrastructure is completely + +0:23:46.150,0:23:48.630 +you know invisible + +0:23:48.630,0:23:52.890 +alright how many people like interact with a router when +you're sending traffic through + +0:23:52.890,0:23:54.970 +no you know it passes traffic + +0:23:54.970,0:23:57.520 +same with the firewall blocks it allows it whatever + +0:23:57.520,0:23:58.649 +so I tend to trust + +0:23:58.649,0:24:01.600 +what this will tell me even more because there's +less user action + +0:24:01.600,0:24:03.690 +the final stage here is my sensor + +0:24:03.690,0:24:06.390 +the sensors completely pass it + +0:24:06.390,0:24:09.210 +most of the people in the company might not even know it +exists + +0:24:09.210,0:24:11.139 +which is which is good in most cases + +0:24:11.139,0:24:14.760 +unless you want a deterrent effect + +0:24:14.760,0:24:16.390 +so I can get data from the sensor + +0:24:16.390,0:24:18.390 +typically like in my team + +0:24:18.390,0:24:21.960 +there's only two people that even know the route +password + +0:24:21.960,0:24:24.270 +we could heavily defend these things + +0:24:24.270,0:24:26.159 +we can have them defend + +0:24:26.159,0:24:27.549 +each other + +0:24:27.549,0:24:28.620 +like watch each other + +0:24:28.620,0:24:31.529 +so I tend to have a very very high confidence to +what the sensor is telling me + +0:24:31.529,0:24:33.530 +as opposed to + +0:24:33.530,0:24:35.180 +what a user platform is telling me + +0:24:35.180,0:24:35.980 +so if I’m + +0:24:35.980,0:24:37.799 +if I’m on a user platform + +0:24:37.799,0:24:41.290 +and I'm looking around for evidence of a rootkit +and I see nothing + +0:24:41.290,0:24:44.140 +but up here in my sensor showing traffic going by + +0:24:44.140,0:24:47.220 +out to some site in Brazil + +0:24:47.220,0:24:48.490 +then I can say + +0:24:48.490,0:24:50.070 +alright we have a problem here + +0:24:50.070,0:24:51.120 +so this is why I like + +0:24:51.120,0:24:54.020 +to itroduce these sorts of devices + +0:24:54.020,0:24:55.070 +let me talk a little bit + +0:24:55.070,0:24:55.959 +to about + +0:24:55.959,0:24:57.560 +least trusted and most trusted + +0:24:57.560,0:24:59.840 +if you had to rank operating systems here + +0:24:59.840,0:25:01.830 +would you put Windows up here + +0:25:01.830,0:25:02.899 +and BSD here + +0:25:02.899,0:25:06.150 +or the other way around right + +0:25:06.150,0:25:11.010 +so I like to use BSD especially for my sensors + +0:25:11.010,0:25:13.510 +because I introduce what we call a technology gap + +0:25:13.510,0:25:16.789 +my company we use a lot of Windows as you +might imagine + +0:25:16.789,0:25:19.230 +and we use a lot of Linux + +0:25:19.230,0:25:22.820 +we don't use a lot of BSD in fact I’m +probably the only BSD + +0:25:22.820,0:25:24.770 +shop in the company that I know of + +0:25:24.770,0:25:25.729 +but that's good + +0:25:25.729,0:25:28.090 +because if you’re a bad guy and you get inside the company + +0:25:28.090,0:25:31.850 +and you root our Windows infrastructure and you root our +Linux infrastructure + +0:25:31.850,0:25:34.420 +and then you find some BSD boxes + +0:25:34.420,0:25:36.530 +and we administer them ourselves + +0:25:36.530,0:25:39.020 +it's going to take a lot more work to get +into this + +0:25:39.020,0:25:41.930 +and we’re probably did notice when you're trying +to get into our systems + +0:25:41.930,0:25:44.220 +so it does not make sense and I’ve seen + +0:25:44.220,0:25:47.450 +we get a lot of pressure on this internally +and I’ve seen it in other companies + +0:25:47.450,0:25:49.740 +to have our sensing + +0:25:49.740,0:25:50.180 +infrastructure + +0:25:50.180,0:25:53.679 +be integrated with the rest of the company +infrastructure + +0:25:53.679,0:25:54.930 +right oh just have you know + +0:25:54.930,0:25:58.190 +have our hosted Linux service + +0:25:58.190,0:26:00.059 +where you know you can have + +0:26:00.059,0:26:01.870 +potentially all these admins you don't know + +0:26:01.870,0:26:04.960 +on another continent logging into your devices + +0:26:04.960,0:26:07.280 +no way you know I want a gap I want + +0:26:07.280,0:26:09.580 +the stuff that we have to protect + +0:26:09.580,0:26:10.730 +not be + +0:26:10.730,0:26:12.470 +the same as what’s using + +0:26:12.470,0:26:13.170 +or not be + +0:26:13.170,0:26:15.740 +the same systems that we’re using to watch this + +0:26:15.740,0:26:16.729 +so I introduced BSD as + +0:26:16.729,0:26:18.540 +as a new operating system to + +0:26:18.540,0:26:23.110 +watch this yes + +0:26:23.110,0:26:27.950 +so the question was do I stay on the Intel platform + +0:26:27.950,0:26:30.750 +I actually bring up that point in my forensics talks + +0:26:30.750,0:26:32.780 +I am on an Intel platform + +0:26:32.780,0:26:34.370 +for my sensors + +0:26:34.370,0:26:37.250 +however + +0:26:37.250,0:26:40.130 +depending on how you want to do forensics for +example + +0:26:40.130,0:26:43.710 +I have done cases where I had one tax stack +where I’ve got + +0:26:43.710,0:26:46.730 +you know Intel Windows + +0:26:46.730,0:26:48.180 +Toolex + +0:26:48.180,0:26:48.780 +whatever + +0:26:48.780,0:26:51.119 +and in another platform where I’ve got + +0:26:51.119,0:26:52.559 +Power PC + +0:26:52.559,0:26:53.420 +Debian + +0:26:53.420,0:26:55.560 +blah blah blah blah blah and something completely different + +0:26:55.560,0:26:58.740 +and I will say by the way + +0:26:58.740,0:27:04.310 +I don't run the one sytem I expose in my home lab +is not an Intel system + +0:27:04.310,0:27:06.940 +it's a Mac mini + +0:27:06.940,0:27:08.550 +and it’s running Debian on top + +0:27:08.550,0:27:11.789 +I tried to put on BSD I had a problem +I don’t know what that was + +0:27:11.789,0:27:13.109 +probably user error but + +0:27:13.109,0:27:15.310 +so Debian is running on that and what’s + +0:27:15.310,0:27:18.529 +nice about that is do you remember when the Debian +the SSL stuff when was that + +0:27:22.789,0:27:24.340 +that happened recently + +0:27:24.340,0:27:27.360 +all of the pre-compiled exploits for that + +0:27:27.360,0:27:30.570 +%uh and all of the pre-compiled keys + +0:27:30.570,0:27:34.230 +they shell code was all wrong because I was running +Power PC + +0:27:34.230,0:27:36.240 +and like when I did my + +0:27:36.240,0:27:38.050 +update or whatever I was like oh + +0:27:38.050,0:27:39.110 +I wonder if I’m affected by that + +0:27:39.110,0:27:42.160 +and it kept saying I wasn't even though I knew +I was because the + +0:27:42.160,0:27:44.270 +you know I had the vulnerable library version + +0:27:44.270,0:27:46.809 +I was like that's right this isn’t an Intel box + +0:27:46.809,0:27:48.170 +it's a Power PC box + +0:27:48.170,0:27:52.120 +so I do use that diversity argument in very very +limited situations + +0:27:52.120,0:27:55.180 +but it would be really expensive for me to say buy + +0:27:55.180,0:27:57.639 +you know eighty + +0:27:57.639,0:28:01.710 +I don't know I’m not even sure what I would use these days +it would be tough to find that I could get + +0:28:01.710,0:28:03.070 +a good price and everything + +0:28:03.070,0:28:06.460 +so I have to make some compromises there + +0:28:06.460,0:28:10.419 +but that’s not a bad idea if you have to have some kind of +like central server that was going to like watch everything maybe + +0:28:10.419,0:28:12.559 +you need to go that extra step to make it + +0:28:12.559,0:28:15.580 +even more diverse + +0:28:15.580,0:28:18.380 +alright so I’d like to talk just for a minute +about what I do + +0:28:18.380,0:28:21.320 +like to deploy + +0:28:21.320,0:28:23.190 +um what’s my time here + +0:28:23.190,0:28:29.300 +so I'm involved with this open source project called SGUIL +S-G-U-I-L + +0:28:29.300,0:28:32.780 +SGUIL doesn't stand for anything officially + +0:28:32.780,0:28:38.180 +but it originally when we first wrote it in like by the way +Bam Busher is the lead developer he’s probably actually the +only developer + +0:28:38.180,0:28:42.360 +the rest of us are just lamers + +0:28:42.360,0:28:43.820 +that's what the L means + +0:28:43.820,0:28:46.660 +originally it was snort GUI for lamers + +0:28:46.660,0:28:48.900 +%uh but then a couple people who got it + +0:28:48.900,0:28:52.490 +well we didn't get the joke they got a software +like I’m not a lamer I’m not going to use your software + +0:28:52.490,0:28:54.220 +well I don’t care if you use it or not + +0:28:59.890,0:29:01.540 +yeah right + +0:29:01.540,0:29:04.060 +But we felt okay that’s kind of + +0:29:04.060,0:29:09.860 +we’ll just call it SGUIL it doesn’t mean anything + +0:29:09.860,0:29:13.670 +So I’m going to talk to you about SGUIL but the thing about +SGUIL to remember is + +0:29:13.670,0:29:15.310 +it's open source it runs on + +0:29:15.310,0:29:16.460 +you know Picker + +0:29:16.460,0:29:18.080 +Distrobe Choice + +0:29:18.080,0:29:19.970 +or Flavor whatever you want + +0:29:19.970,0:29:22.080 +it's more about the data and less about the tool + +0:29:22.080,0:29:24.690 +so you could potentially implement this with your own tools + +0:29:24.690,0:29:26.850 +%uh even commercial if you wanted to + +0:29:26.850,0:29:29.350 +%um it’s really + +0:29:29.350,0:29:32.419 +about way of getting data and thinking about it and less +about the actual + +0:29:32.419,0:29:37.020 +the actual tool + +0:29:37.020,0:29:38.400 +you know this guy it’s Elvis + +0:29:38.400,0:29:44.900 +you know what martial art he studied + +0:29:49.720,0:29:51.000 +so here’s Elvis + +0:29:51.000,0:29:53.750 +and Elvis is the patron saint of this system + +0:29:53.750,0:29:56.380 +I don't know why it's been a long time + +0:29:56.380,0:29:57.230 +but %uh + +0:29:57.230,0:30:00.609 +I love Elvis because he’s in his Kenpo karate stance + +0:30:00.609,0:30:02.480 +and his stance is like this + +0:30:02.480,0:30:08.860 +which it would take him like a week to get out +of his fight stance to do anything + +0:30:08.860,0:30:12.610 +I actually won some concert tickets by stumping +an Elvis expert on a radio station here + +0:30:12.610,0:30:13.399 +in DC- + +0:30:13.399,0:30:16.120 +I called and said what style of martial arts did he + +0:30:16.120,0:30:18.590 +he’s like oh karate I’m like what style + +0:30:18.590,0:30:20.080 +oh I don't know + +0:30:20.080,0:30:21.070 +Kenpo karate well + +0:30:21.070,0:30:22.559 +who was his masters’ name + +0:30:22.559,0:30:23.670 +uh Ed Parker + +0:30:23.670,0:30:29.540 +and they were like oh you just won those tickets you stumped +the Elvis expert + +0:30:29.540,0:30:34.540 +so here you have Elvis I’m going to contrast these two methods +of doing investigations right + +0:30:34.540,0:30:35.870 +so you’ve got Elvis + +0:30:35.870,0:30:38.640 +he’s your analyst you don’t want to piss him off + +0:30:38.640,0:30:40.289 +he’s Elvis + +0:30:40.289,0:30:43.799 +he’ll hit you with his magic karate shot + +0:30:43.799,0:30:47.580 +he gets an alert via some system right well not these days he’s looking trim man + +0:30:47.580,0:30:50.900 +by the way if you’ve ever watched him in concert + +0:30:50.900,0:30:53.970 +he’s doing Kenpo like throughout the concert all the moves + +0:30:53.970,0:30:55.910 +he’s doing + +0:30:55.910,0:30:56.269 +he’s doing Kenpo + +0:30:56.269,0:30:59.089 +you zoom in he’s got a Kenpo patch on whatever +he's wearing + +0:30:59.089,0:31:01.279 +you look at his guitar it’s got the Kenpo patch on it + +0:31:01.279,0:31:05.300 +like once you’re exposed to the fact that he did this style it's +everywhere + +0:31:05.300,0:31:06.470 +in fact there was one + +0:31:06.470,0:31:11.210 +he did a concert once actually he didn't +do a concert he attended somebody else’s concert + +0:31:11.210,0:31:15.190 +and I don't know who it was like Johnny Cash or something +but he saw him in the audience + +0:31:15.190,0:31:16.370 +he’s like Elvis do you want to come up here + +0:31:16.370,0:31:17.910 +you know do a song with me + +0:31:17.910,0:31:19.800 +and he’s like oh sorry you know + +0:31:19.800,0:31:22.880 +I'm under contract I can only perform at +this + +0:31:22.880,0:31:23.570 +one casino + +0:31:23.570,0:31:27.360 +but I’ll tell you what I’ll come on stage and do karate + +0:31:30.100,0:31:32.190 +so this guy is doing his performance and Elvis is just jumping on doing karate + +0:31:32.190,0:31:34.530 +I’ve got to find a video of that that would be great + +0:31:34.530,0:31:36.720 +so anyway Elvis is here + +0:31:36.720,0:31:39.440 +and his job is to find intruders + +0:31:39.440,0:31:41.150 +so he gets his console and he gets and alert + +0:31:41.150,0:31:41.990 +and he looks at it and he’s like + +0:31:41.990,0:31:43.520 +alright well + +0:31:43.520,0:31:45.230 +I’ve got to figure out if this matters + +0:31:45.230,0:31:48.470 +so what do I have to work with + +0:31:48.470,0:31:50.960 +well I have other alerts like a picture in front of some Cisco device + +0:31:50.960,0:31:53.870 +like in that range or whatever they are these days + +0:31:53.870,0:31:56.940 +so he creates the database and he gets more alerts + +0:31:56.940,0:31:59.800 +and he says well this is nice but I can’t tell if any of this matters + +0:31:59.800,0:32:02.770 +so that's the end of the line + +0:32:02.770,0:32:05.940 +right at this point he’s got two options he can either ignore it + +0:32:05.940,0:32:10.240 +or he can satisfy his fifteen minute SOA that his customer +pays three thousand dollars a month + +0:32:10.240,0:32:10.860 +for + +0:32:10.860,0:32:11.940 +call the customer and say + +0:32:11.940,0:32:13.059 +I saw this + +0:32:13.059,0:32:14.650 +I don't know what it means + +0:32:14.650,0:32:17.110 +ball is in your court goodbye + +0:32:17.110,0:32:21.360 +so I don't how many of you have you had that experience with an +MSSP but that’s very very common + +0:32:21.360,0:32:22.869 +so to me this is + +0:32:22.869,0:32:27.620 +that's completely worthless so this is the +alternative I propose + +0:32:27.620,0:32:30.550 +so see already you can see there’s more lines so that +must be good right + +0:32:30.550,0:32:32.030 +so you got Elvis + +0:32:32.030,0:32:35.319 +he queries his data he get’s an alert he queries the +database he gets the same alert + +0:32:35.319,0:32:39.050 +but now the difference is he has some data to look +at + +0:32:39.050,0:32:42.499 +so in other words it’s no just an IDS or whatever +generate alerts + +0:32:42.499,0:32:44.470 +there’s some evidence to review + +0:32:44.470,0:32:46.880 +and the key idea behind NSM is + +0:32:46.880,0:32:47.869 +the evidence + +0:32:47.869,0:32:51.700 +is collected whether or not it has security +value + +0:32:51.700,0:32:55.110 +that's not quite right what I mean is you’re +always collecting data + +0:32:55.110,0:32:57.350 +because you don't know what is useful + +0:32:57.350,0:32:58.430 +in other words + +0:32:58.430,0:33:00.360 +if you knew what was bad + +0:33:00.360,0:33:03.159 +why don't you just stop it + +0:33:03.159,0:33:05.709 +that is the whole fallacy of security right +like + +0:33:05.709,0:33:07.359 +the whole thing IDS was + +0:33:07.359,0:33:11.350 +if you could detect it why can’t you prevent it oh yeah + +0:33:11.350,0:33:14.860 +right so you invent this whole IPS category +which is a silver bullet which + +0:33:14.860,0:33:17.270 +did really nothing + +0:33:17.270,0:33:21.780 +but the idea is yeah you can detect it’s bad why don’t you just +stop it well of course that makes a lot of + +0:33:21.780,0:33:22.219 +sense + +0:33:22.219,0:33:24.840 +so you have a lot of stopping bad stuff + +0:33:24.840,0:33:28.250 +but then there’s other bad stuff that’s happening because +you don't know it is bad right now + +0:33:28.250,0:33:29.899 +I mean + +0:33:29.899,0:33:34.140 +I learned these techniques dealing with + +0:33:34.140,0:33:35.820 +intruders + +0:33:35.820,0:33:38.399 +I’ll date myself but in 1998 + +0:33:38.399,0:33:39.509 +intruders in China + +0:33:39.509,0:33:41.049 +who had writtten their own + +0:33:41.049,0:33:44.010 +virtualisation platform on top of Solaris + +0:33:44.010,0:33:46.159 +who were doing stuff we were like holy cow + +0:33:46.159,0:33:48.540 +because we had no idea that they could do +that sort of thing + +0:33:48.540,0:33:51.879 +so there was no system that was going to detect +because we didn't even know it existed + +0:33:51.879,0:33:54.530 +but guess what we were keeping track of everything +that was happening + +0:33:54.530,0:33:56.330 +and once we knew what to look for + +0:33:56.330,0:34:00.380 +we checked our data like holy crap they’ve been in +here since two years ago + +0:34:00.380,0:34:03.230 +right this slide that I showed you here + +0:34:03.230,0:34:07.240 +when we started putting out these sensors there was +huge resistance + +0:34:07.240,0:34:08.459 +this was like + +0:34:08.459,0:34:13.399 +oh man we’re the air force we just defeated Iraq the +fourth biggest army in the world we kick ass + +0:34:13.399,0:34:15.739 +there can’t be anybody inside of our network and we’re like + +0:34:15.739,0:34:19.460 +please please can we put a few sensors out there and they’re +like all right but you guys are wasting your + +0:34:19.460,0:34:20.029 +time + +0:34:20.029,0:34:23.690 +so we put our sensors out and what do you think +what did we find + +0:34:23.690,0:34:24.720 +we were owned + +0:34:25.650,0:34:26.230 +everywhere + +0:34:26.230,0:34:27.569 +up down left right + +0:34:27.569,0:34:29.499 +it was terrible right we were completely owned + +0:34:29.499,0:34:31.329 +because nobody was watching + +0:34:31.329,0:34:33.129 +and then after that + +0:34:33.129,0:34:37.159 +boom that’s when everything took off + +0:34:37.159,0:34:40.859 +so the key here is that you get your alert but then you +have data to look at and the two + +0:34:40.859,0:34:43.939 +%uh well I should say three main forms of data you collect + +0:34:43.939,0:34:45.370 +we collected alerts but + +0:34:45.370,0:34:46.269 +we’re also + +0:34:46.269,0:34:47.780 +just logging all the flows we see + +0:34:47.780,0:34:50.779 +we call it session data but it’s just flows + +0:34:50.779,0:34:52.999 +and we deploy our own software to log the flows + +0:34:52.999,0:34:56.460 +but the key is we don't log the flows that are associated +with the alert we log + +0:34:56.460,0:34:57.789 +all flows + +0:34:57.789,0:34:59.689 +so you don’t have to know what support beforehand + +0:34:59.689,0:35:01.619 +you just keep track of everything + +0:35:01.619,0:35:02.840 +and once you know what to look for + +0:35:02.840,0:35:04.259 +you go look for it + +0:35:04.259,0:35:08.739 +I kind of liken it to the Splunk model like I +how many people have used Splunk + +0:35:08.739,0:35:10.609 +right Splunk is really awesome right + +0:35:10.609,0:35:13.719 +Splunk is the place you go when you know +what to look for + +0:35:13.719,0:35:15.740 +you generally don't have Splunk tell you stuff + +0:35:15.740,0:35:16.679 +I mean you can + +0:35:16.679,0:35:18.150 +but for the most part + +0:35:18.150,0:35:21.910 +you want to be there when you need to ask the question +and have some response + +0:35:21.910,0:35:24.470 +it's the same thing with this once I know what to look for + +0:35:24.470,0:35:25.309 +I need a place to go look + +0:35:25.309,0:35:28.169 +so I query my sessions and I’m like oh well look + +0:35:28.169,0:35:29.040 +this guy + +0:35:29.040,0:35:32.709 +just reached out via FTP and grabbed his tools + +0:35:32.709,0:35:35.109 +guess what most hackers these days still do this + +0:35:35.109,0:35:36.189 +right they aren’t like + +0:35:36.189,0:35:38.319 +STP-ing out or whatever + +0:35:38.319,0:35:40.489 +yeah go grab their tools over FTP + +0:35:40.489,0:35:41.439 +excuse me well + +0:35:41.439,0:35:43.280 +they grab their tools over FTP + +0:35:43.280,0:35:45.939 +while they’re doing that I’m logging all the packet data + +0:35:45.939,0:35:51.379 +and a lot of people used to say oh Bejtlich you’re +crazy who can log packet data on all their gateways + +0:35:51.379,0:35:52.829 +the NSA does + +0:35:52.829,0:35:55.639 +so guess what we can too right it’s not that tough + +0:35:55.639,0:35:58.500 +%uh most network connections are + +0:35:58.500,0:36:00.079 +DS3s or less + +0:36:00.079,0:36:03.509 +at least the outbound ones to the internet + +0:36:03.509,0:36:05.579 +so you could log a lot of packet data + +0:36:05.579,0:36:07.809 +I mean hard drives are cheap + +0:36:07.809,0:36:12.589 +they're cheap so you can grab a lot of data + +0:36:12.589,0:36:18.589 +yeah question what do you use to dump all the data I’ll walk +you through all of it yup yes my question is so I’m located +my servers are in Maryland + +0:36:20.819,0:36:23.099 +yes I’m an ISP what happens when I get stuff from +Massachussetts or California and they’re going you can’t do that + +0:36:27.329,0:36:28.269 +yes okay so there’s two things + +0:36:28.269,0:36:32.709 +the first thing I thought you were going to go down was +I’m an ISP do I do this for my + +0:36:32.709,0:36:33.949 +customers the answer would be no + +0:36:33.949,0:36:37.429 +%uh I would do this for my infrastructure + +0:36:37.429,0:36:40.489 +as far as the privacy stuff goes + +0:36:40.489,0:36:44.589 +we're we’re wrestling with ourselves and what +I end up doing is typically + +0:36:44.589,0:36:46.899 +scaling back to what the law will allow + +0:36:46.899,0:36:50.660 +and then showing that it's either adequate +or not adequate + +0:36:50.660,0:36:56.319 +and then I take it to the lawyers and say we have to +somehow push back against this + +0:36:56.319,0:36:57.630 +%uh but okay + +0:36:57.630,0:37:00.229 +so imagine that you do the full content though + +0:37:00.229,0:37:06.089 +and by the way this isn’t theoretical we do this all the time +I have a reverse engineer on my staff who + +0:37:06.089,0:37:10.589 +when we see machines mission going down pulling their binaries +when the machines are owned + +0:37:10.589,0:37:12.399 +I pass in the traffic + +0:37:12.399,0:37:14.219 +he pulls out the + +0:37:14.219,0:37:15.260 +exe + +0:37:15.260,0:37:19.160 +he reverses it figures out what it does +and now we go into the next stage of insert-response + +0:37:19.160,0:37:21.249 +so it can be done + +0:37:21.249,0:37:24.869 +so then we say oh shoot it uses this back door we +go back and look in the sessions and we say + +0:37:24.869,0:37:27.879 +oh I see this back door let's go and look at the +traffic + +0:37:27.879,0:37:29.350 +and it just keeps going so + +0:37:29.350,0:37:36.350 +the idea is that this isn’t the end of the investigation +it’s the beginning the investigation + +0:37:36.579,0:37:37.369 +sure + +0:37:37.369,0:37:39.059 +can it be done + +0:37:39.059,0:37:41.209 +it’s easy to do and can be done completely free + +0:37:41.209,0:37:42.249 +yes + +0:37:42.249,0:37:44.220 +yes and that is very true + +0:37:44.220,0:37:45.249 +everything that I’ve shown here + +0:37:45.249,0:37:48.249 +you could literally walk out of here + +0:37:48.249,0:37:50.619 +go into the freeBSD ports tree find a SGUIL ports + +0:37:52.119,0:37:54.840 +do your make I mean the ports are a little ugh + +0:37:54.840,0:37:58.029 +I'm not + +0:37:58.029,0:37:59.730 +you don’t want to slam a guy who + +0:37:59.730,0:38:01.190 +volunteers and makes ports right + +0:38:01.190,0:38:05.700 +but there’s still a decent amount of work that you have +to do once the ports are installed it’s good for basically + +0:38:05.700,0:38:09.880 +satisfying dependencies and so forth + +0:38:09.880,0:38:12.879 +so this is the implementation we use as far as software stack + +0:38:12.879,0:38:14.699 +for %uh alert data + +0:38:14.699,0:38:17.459 +we use Snort + +0:38:17.459,0:38:22.799 +I’m starting to I’ve used Bro a little bit +I’m starting to integrate Bro though + +0:38:22.799,0:38:26.949 +full content data I tend to use Demon Logger + +0:38:26.949,0:38:29.029 +it’s Marty Rush’s implementation of Packet Logger + +0:38:29.029,0:38:30.069 +for session data + +0:38:30.069,0:38:34.539 +I use SANCP which is sort a friend of Myrobe which you can +sort of see some other options there + +0:38:34.539,0:38:36.469 +and then statistical data + +0:38:36.469,0:38:38.939 +you know think MRTGA type of thing +that + +0:38:38.939,0:38:40.949 +shows you traffic over time or whatever + +0:38:40.949,0:38:45.979 +%um and the nice thing is SGUIL is the interface to a lot +of this and you know + +0:38:45.979,0:38:47.619 +I’m going to show you what that looks like + +0:38:47.619,0:38:50.709 +by the way so this is it in a picture + +0:38:50.709,0:38:52.289 +so what is SGUIL well + +0:38:52.289,0:38:54.949 +okay yes this is a Windows screenshot + +0:38:54.949,0:39:00.159 +it shows that you can run your BSD back +end on the servers and then have your boss uses Windows + +0:39:00.159,0:39:00.769 +GUI + +0:39:00.769,0:39:02.189 +and log into it + +0:39:02.189,0:39:03.159 +and %uh + +0:39:03.159,0:39:07.559 +again this isn’t about the tool as much as +the data and the way you investigate it but + +0:39:07.559,0:39:08.989 +here’s the screenshot so + +0:39:08.989,0:39:11.890 +you can see we have a console here + +0:39:11.890,0:39:16.509 +and these are our store alerts coming in and by the way it can +be other things we've got it + +0:39:16.509,0:39:20.469 +this isn't a sim incidentally we were talking +just a few minutes ago like + +0:39:20.469,0:39:22.380 +the way we describe it is + +0:39:22.380,0:39:23.259 +with a sim + +0:39:23.259,0:39:26.170 +you could put ABCD all the way through W + +0:39:26.170,0:39:27.200 +into a sim + +0:39:27.200,0:39:28.819 +and it’d still be garbage + +0:39:28.819,0:39:31.449 +but with this we pick the X Y and Z that we + +0:39:31.449,0:39:34.109 +think give you the best value + +0:39:34.109,0:39:37.619 +so for us those are alert sessions and and full content + +0:39:37.619,0:39:39.650 +so you’ve got your interface here + +0:39:39.650,0:39:43.670 +and we try to present as much information +on one screen without having to do a bunch of window + +0:39:43.670,0:39:44.889 +management + +0:39:44.889,0:39:46.839 +yes it is TCL/TK + +0:39:46.839,0:39:50.599 +we started this back in 2001 + +0:39:50.599,0:39:54.009 +but it works it you know it’s fine it’s platform + +0:39:54.009,0:39:56.349 +so here’s the packet that caused the alert + +0:39:56.349,0:39:58.349 +here is the of + +0:39:58.349,0:40:00.100 +the rule that caused the alert + +0:40:00.100,0:40:02.160 +and in most systems this is what you would +get + +0:40:02.160,0:40:05.079 +right you're left deciding if it's okay + +0:40:05.079,0:40:09.039 +in an HTTP transaction + +0:40:09.039,0:40:12.460 +for someone to have put through what looks like the +output of an ID command on Unix + +0:40:12.460,0:40:14.779 +where the result was + +0:40:14.779,0:40:16.179 +UID zero + +0:40:16.179,0:40:19.529 +is that good or is that bad I mean you’d probably say that sounds bad + +0:40:19.529,0:40:24.219 +but once you do the analysis you’ll find out it's +not the question is you have to make that decision + +0:40:24.219,0:40:25.760 +and every vendor that I’ve met + +0:40:25.760,0:40:26.839 +they leave you here + +0:40:26.839,0:40:28.399 +and they abandon you + +0:40:28.399,0:40:29.479 +they say + +0:40:29.479,0:40:31.439 +good luck I’ve given you the packet + +0:40:31.439,0:40:33.329 +like you’ll talk to the source buyer guys they’re like + +0:40:33.329,0:40:36.199 +I gave you the packet what more do you need + +0:40:36.199,0:40:37.639 +I need to know if it matters + +0:40:37.639,0:40:41.569 +and you’re like well + +0:40:41.569,0:40:42.889 +I + +0:40:42.889,0:40:46.549 +can give you the packet look + +0:40:46.549,0:40:48.680 +yeah packet so what it’s a packet + +0:40:48.680,0:40:52.439 +I can tell there’s a packet here yes there’s a packet and yes +it’s nice that you gave me a nice open rule so I can tell how it + +0:40:52.439,0:40:55.140 +came to its decision unlike you know a closed system + +0:40:55.140,0:40:56.150 +you can't tell + +0:40:56.150,0:40:58.240 +but I have to tell if this matters for me + +0:40:58.240,0:40:59.859 +what do you do next + +0:40:59.859,0:41:03.769 +we could do a couple things one thing you +can do is build transcript + +0:41:03.769,0:41:05.550 +the transcript is + +0:41:05.550,0:41:06.510 +all of the + +0:41:06.510,0:41:08.380 +session in this case + +0:41:08.380,0:41:12.719 +rendered through in this case we use TCP flow so we say + +0:41:12.719,0:41:13.789 +literally right-click + +0:41:13.789,0:41:15.379 +give me your transcript + +0:41:15.379,0:41:16.740 +system goes out to the sensor + +0:41:16.740,0:41:18.369 +pulls back the P cap data + +0:41:18.369,0:41:20.319 +renders it in TCP flow + +0:41:20.319,0:41:21.259 +colors the blue + +0:41:21.259,0:41:24.249 +%uh the source the red is the destination + +0:41:24.249,0:41:26.079 +so you can see that my system + +0:41:26.079,0:41:31.009 +visited the www.testmyids.com site + +0:41:31.009,0:41:32.320 +and it replied + +0:41:32.320,0:41:34.009 +with the content + +0:41:34.009,0:41:36.159 +so + +0:41:36.159,0:41:37.679 +there is no like + +0:41:37.679,0:41:39.289 +back door on port 80 here + +0:41:39.289,0:41:40.689 +this is a + +0:41:40.689,0:41:47.119 +by the way the other thing that’s nice is that I came +through this proxy and whatever + +0:41:47.119,0:41:50.779 +if I’m dealing with a binary protocol like let’s say +SNB or RPC or something that doesn’t + +0:41:50.779,0:41:52.249 +render well as text + +0:41:52.249,0:41:56.849 +that's same right-click you can instead choose to +dump it into Wireshark + +0:41:56.849,0:41:58.099 +so here’s the Wireshark data + +0:41:58.099,0:42:00.829 +and you can use anything you want to do for Wireshark +at this point + +0:42:00.829,0:42:01.900 +this is fast right + +0:42:01.900,0:42:05.699 +I don’t know how many of you have had to do this by +hand + +0:42:05.699,0:42:08.570 +you know you SSH out to the sensor find a pcat file + +0:42:08.570,0:42:10.709 +come up with a BPF in your head + +0:42:10.709,0:42:12.119 +you know run it + +0:42:12.119,0:42:13.890 +copy it someplace no this is + +0:42:13.890,0:42:15.359 +right-click right-click right-click I’ve got all my data + +0:42:17.130,0:42:20.909 +if you want to see well have I ever gone to this IP address +before + +0:42:20.909,0:42:23.219 +I query for my sessions and I say + +0:42:23.219,0:42:27.459 +you know in this case it’s a sequel query on that desk IP + +0:42:27.459,0:42:30.770 +and by the way you can right-click and do a default query +or else if you know what the schema looks like you can just +modify it by hand + +0:42:37.369,0:42:40.139 +and I think that’s it + +0:42:40.139,0:42:41.820 +so if you want to try any of that + +0:42:41.820,0:42:44.889 +like I said %uh the ports exist + +0:42:44.889,0:42:49.399 +I maintain some really really really +really lame scripts that automate this + +0:42:49.399,0:42:52.190 +but I need to install it on my home gateway or something +like that + +0:42:52.190,0:42:56.319 +They’re more of just a reference + +0:42:56.319,0:42:57.140 +but that’s what I do on BSD as far as network security +monitoring goes + +0:42:57.140,0:43:03.609 +I’d be happy to answer any questions + +0:43:03.609,0:43:09.139 +yes + +0:43:09.139,0:43:14.049 +what additional features are you looking for in the future I +would say for SGUIL for new features the first thing is resolve + +0:43:14.049,0:43:15.700 +intellectual property + +0:43:15.700,0:43:16.140 +because + +0:43:16.140,0:43:19.469 +I hired Bam as my lead incident handler at GE + +0:43:19.469,0:43:20.439 +so + +0:43:20.439,0:43:21.780 +we need to figure out + +0:43:21.780,0:43:24.940 +if he works on it at work + +0:43:24.940,0:43:27.640 +can we release it well first of all can he even work +on it at work + +0:43:27.640,0:43:29.130 +and secondly if he does + +0:43:29.130,0:43:33.189 +can we release so we're trying to work +out those I think it'll be resolved postively + +0:43:33.189,0:43:35.119 +because we're GE’s actually fairly pro-open-source + +0:43:36.849,0:43:41.189 +I told the CEO of the company that this thing +used my sequel as a back end and + +0:43:41.189,0:43:42.229 +he’s like I love my sequel + +0:43:42.229,0:43:43.680 +okay + +0:43:43.680,0:43:45.470 +he’s like you’ve got your money I’m like oh + +0:43:45.470,0:43:47.089 +okay that’s all I had to say great + +0:43:47.089,0:43:50.969 +%uh he hates Microsoft he hates the company + +0:43:53.819,0:43:58.789 +so we wanted once we get that result we want +to probably introduce other data sources + +0:43:58.789,0:43:59.549 +so introduce like Bro plugin + +0:44:01.090,0:44:02.240 +some other agents + +0:44:02.240,0:44:03.799 +they could accept other data + +0:44:03.799,0:44:05.470 +%uh we need to have + +0:44:05.470,0:44:07.789 +some kind of reporting mechanism + +0:44:07.789,0:44:08.610 +because people don't know + +0:44:08.610,0:44:11.589 +what comes out once you put it in + +0:44:11.589,0:44:16.329 +there's been some talk about making this turn +into a Splunk base application + +0:44:16.329,0:44:18.119 +so all the data goes into Splunk + +0:44:18.119,0:44:25.119 +I mean you could you'd do like use Splunk as the interface +so that's a possibility + +0:44:28.909,0:44:33.859 +yeah Splunk is remarkably cheap for an enterprise +app though we’ve bought like giant licenses + +0:44:33.859,0:44:34.669 +that have not + +0:44:34.669,0:44:38.399 +I mean they've been like five-figure purchases which is +really good considering how many gigabytes of data + +0:44:38.399,0:44:39.489 +we’re indexing + +0:44:39.489,0:44:41.789 +%uh but you know for the + +0:44:41.789,0:44:46.170 +situation here it would be an option because the free Splunk +is 500mb a day + +0:44:46.170,0:44:49.229 +so it's not that + +0:44:49.229,0:44:56.229 +any other questions + +0:45:02.480,0:45:04.219 +yeah I think Bro if you’ve never heard of Bro bro-ids.org + +0:45:04.219,0:45:08.279 +in fact I’m going to Bro training next week +in Berkeley which is just going to rock I’m so excited + +0:45:08.279,0:45:10.629 +about that + +0:45:10.629,0:45:12.469 +Bro I think is a perfect + +0:45:12.469,0:45:14.809 +a perfect compliment to Snort + +0:45:14.809,0:45:17.750 +Snort not exclusively but Snort is quite a bit about signatures + +0:45:17.750,0:45:21.140 +there are some few processors that look for +protocol anomalies and so forth + +0:45:21.140,0:45:26.189 +but Bro on it’s own is completely the opposite it’s all about +protocol anomalies + +0:45:26.189,0:45:27.939 +Snort has kind of like real + +0:45:27.939,0:45:30.999 +hackish type state keeping using flow bits + +0:45:30.999,0:45:32.739 +Bro is all about state + +0:45:32.739,0:45:35.160 +so you put the two of them together you might say + +0:45:35.160,0:45:37.499 +shoot I really need to know when such and such +happens + +0:45:37.499,0:45:41.270 +but to do that Snort I’d have to do all this +flow bits and stuff + +0:45:41.270,0:45:43.030 +whereas with Bro you’re like oh + +0:45:43.030,0:45:43.810 +just track the connections and then do this + +0:45:43.810,0:45:50.810 +so the two of them together I think work really +well + +0:45:51.619,0:45:54.980 +the questions was does Bro have Snort rule input functionality + +0:45:54.980,0:45:57.769 +it does to the extent that every + +0:45:57.769,0:46:02.059 +like hardware vendor accelerator vendor Snort competitor +says that they do + +0:46:02.059,0:46:05.079 +%uh Snort is the engine is always being +updated + +0:46:05.079,0:46:07.880 +so generally what when somebody says that +they can + +0:46:07.880,0:46:09.880 +%uh run Snort rules faster + +0:46:09.880,0:46:12.420 +they’re usually only talking about content matches + +0:46:12.420,0:46:14.519 +so they take whatever the the + +0:46:14.519,0:46:15.500 +content match is + +0:46:15.500,0:46:18.829 +and implement it quickly in hardware + +0:46:18.829,0:46:23.099 +so over time the degree to which you can map +real Snort rules fades + +0:46:23.099,0:46:24.309 +so whereas + +0:46:24.309,0:46:26.510 +five years ago it might have been like ninety percent + +0:46:26.510,0:46:28.619 +these days it's like twenty five percent + +0:46:28.619,0:46:35.619 +so they probably can pull in a certain percentage +but not a lot + +0:46:46.159,0:46:50.020 +right right exactly so the question was about retention +of the full content data + +0:46:50.020,0:46:53.439 +I should mention that for alerts we try to keep for +about a year + +0:46:53.439,0:46:56.809 +for flows we try to keep about six months + +0:46:56.809,0:46:59.529 +and alerts and flows are both centralized although + +0:46:59.529,0:47:03.059 +given the flow volume we’re seeing we might +have to start pushing that back onto the + +0:47:03.059,0:47:04.909 +sensor + +0:47:04.909,0:47:07.549 +pcat data it is + +0:47:07.549,0:47:10.509 +just what we can afford as far as hard drive spaces go + +0:47:10.509,0:47:11.769 +my last budget + +0:47:11.769,0:47:15.319 +I could only spend about twenty five hundred +to three grand per sensor + +0:47:15.319,0:47:18.949 +which limited me to about one to + +0:47:18.949,0:47:22.139 +yeah about one terabyte of disk space with raid + +0:47:22.139,0:47:23.809 +so %uh + +0:47:23.809,0:47:26.279 +depending on where the sensor goes that could be + +0:47:26.279,0:47:28.809 +three months or three weeks + +0:47:28.809,0:47:34.189 +or or a day or three days or three hours +right + +0:47:34.189,0:47:36.259 +what I do is I end up + +0:47:36.259,0:47:38.450 +I buy up chassis that can + +0:47:38.450,0:47:40.960 +potentially grow to have a lot more storage once +I have budget + +0:47:40.960,0:47:42.509 +I put the system out there + +0:47:42.509,0:47:43.319 +and I say + +0:47:43.319,0:47:46.439 +look this is look what I found at this location +boss + +0:47:46.439,0:47:50.709 +if you give me a little more more money I can put in +you know four terabytes of disk space as opposed + +0:47:50.709,0:47:51.609 +to one + +0:47:51.609,0:47:53.209 +and then they give me that + +0:47:53.209,0:47:55.520 +but the pcap data only stays on a sensor + +0:47:55.520,0:47:58.049 +so what I try to do is I have an analysis +window + +0:47:58.049,0:47:59.179 +and a pcap window + +0:47:59.179,0:48:03.799 +and I try to have that pcap window longer than +the analysis window + +0:48:03.799,0:48:08.239 +so the questions yes + +0:48:08.239,0:48:12.269 +yeah so any type of encryption on host + +0:48:12.269,0:48:14.139 +but the funny thing is + +0:48:14.139,0:48:17.909 +most of the time when I did get type of + +0:48:17.909,0:48:19.160 +like third-party tips + +0:48:19.160,0:48:22.669 +it's usually have you seen anybody visiting this IP address + +0:48:22.669,0:48:25.919 +and if I see the visit to that IP address +even if it’s encrypted + +0:48:25.919,0:48:27.669 +I know it + +0:48:27.669,0:48:29.429 +this isn't the whole game right + +0:48:29.429,0:48:32.750 +usually what I do is I use all of this identify +boxes that problems + +0:48:32.750,0:48:34.439 +and then I roll in to do + +0:48:34.439,0:48:35.809 +host-based forensics + +0:48:35.809,0:48:42.809 +so that some of the other coin other side + +0:48:45.349,0:48:49.310 +yeah that is really dependent on the way that + +0:48:49.310,0:48:50.729 +encryption algorithm is implemented + +0:48:50.729,0:48:55.159 +some of them are are very friendly to that +others are not + +0:48:55.159,0:48:57.339 +and others + +0:48:57.339,0:48:59.070 +that you know in some cases + +0:48:59.070,0:49:02.300 +it might be better to use another approach +like there's certain proxies that are out + +0:49:02.300,0:49:03.829 +there like that + +0:49:03.829,0:49:05.419 +Palo Alto firewall + +0:49:05.419,0:49:07.969 +you can specify encryption policies so + +0:49:07.969,0:49:12.210 +and if you go to banks if you go to certain +sites they don’t mess with the SSL + +0:49:12.210,0:49:14.150 +everywhere else they man it in the middle + +0:49:14.150,0:49:16.349 +and so you can get access to the logs that +way + +0:49:16.349,0:49:18.619 +so I try not to do that with the sensors so much + +0:49:18.619,0:49:19.659 +I try to keep it I try to make + +0:49:19.659,0:49:21.799 +the sensor so nobody even knows they’re there + +0:49:21.799,0:49:23.529 +if at all possible + +0:49:23.529,0:49:28.169 +yes + +0:49:39.739,0:49:43.599 +his comment was even if there is four +four three traffic that’s encrypted + +0:49:43.599,0:49:45.349 +general to be something else that isn’t + +0:49:45.349,0:49:48.969 +and that's really what all this is about it's +generally about getting a hint that something + +0:49:48.969,0:49:49.890 +is wrong + +0:49:49.890,0:49:53.460 +and you don't necessarily know what the hint is until +you’ve been burnt pretty badly + +0:49:53.460,0:49:56.609 +and then you go back and you figure out the scope +of the incident is + +0:49:56.609,0:50:00.119 +in no forensic case have I ever worked where I +had a complete picture + +0:50:00.119,0:50:01.929 +you know I had the guys hard drive I had + +0:50:01.929,0:50:04.280 +his logs his network traffic it's generally + +0:50:04.280,0:50:05.490 +you get some piece + +0:50:05.490,0:50:08.160 +and then you start investigating + +0:50:08.160,0:50:10.190 +and the reason I do this approach is because it’s cheap + +0:50:10.190,0:50:14.099 +you know twenty five hundred dollar commodity hardware +open source software + +0:50:14.099,0:50:15.820 +little bit of experience + +0:50:15.820,0:50:17.280 +and suddenly I’ve got some + +0:50:17.280,0:50:18.220 +you know some viable data + +0:50:18.220,0:50:22.129 +you’d think working at GE I’d have some huge +budget + +0:50:22.129,0:50:23.000 +no way not at all + +0:50:23.000,0:50:24.819 +any other questions + +0:50:24.819,0:50:31.819 +yes + +0:50:35.649,0:50:38.709 +well to tell you the truth I started using + +0:50:38.709,0:50:39.750 +FreeBSD specifically + +0:50:39.750,0:50:44.710 +%uh in 2000 and the reason was our +developers who who were building the ASM sensors + +0:50:44.710,0:50:46.659 +in the + +0:50:47.569,0:50:48.279 +they said + +0:50:48.279,0:50:52.579 +if we’re going to have a good network stack we should +use a BSD base stack as opposed to Linux + +0:50:52.579,0:50:53.959 +so that's how it started + +0:50:53.959,0:50:59.519 +%um since then there have been many changes in both +sides Linux within the BSDs and so forth + +0:50:59.519,0:51:02.419 +so I'm really not in a position to say which + +0:51:02.419,0:51:03.319 +is better + +0:51:03.319,0:51:04.410 +I I would say + +0:51:04.410,0:51:06.679 +I've never had a BSD let me down + +0:51:06.679,0:51:08.599 +put it that way + +0:51:08.599,0:51:10.930 +as far as FreeBSD goes specifically + +0:51:10.930,0:51:14.229 +there’s som like minor things that make my +life better + +0:51:14.229,0:51:18.349 +one is I know a lot of the network developers +so when there's an issue I can talk to them + +0:51:18.349,0:51:19.859 +directly + +0:51:19.859,0:51:20.919 +and they can say + +0:51:20.919,0:51:22.420 +like some of the + +0:51:22.420,0:51:23.660 +I don’t know who’s from the free + +0:51:23.660,0:51:26.099 +but some of the zero copy stuff that's being +worked on + +0:51:26.099,0:51:29.159 +like that helps me a lot + +0:51:29.159,0:51:32.999 +some it's the most stupid things like the +ability that any + +0:51:32.999,0:51:33.869 +any + +0:51:33.869,0:51:35.469 +app which + +0:51:35.469,0:51:37.719 +is opening up a BPF + +0:51:37.719,0:51:40.109 +you can track performance with the what was it + +0:51:40.109,0:51:41.609 +net stat dash B + +0:51:41.609,0:51:42.400 +capital B + +0:51:42.400,0:51:45.859 +little things like that are helpful too + +0:51:45.859,0:51:52.859 +there's another question + +0:52:03.309,0:52:05.019 +yes + +0:52:05.019,0:52:09.189 +yeah so I don’t know if what you've seen in the news about +like Chinese hackers and all + +0:52:09.189,0:52:12.499 +this has been going on for a long time it's +just that + +0:52:12.499,0:52:14.590 +nowadays they're mostly on Windows but + +0:52:14.590,0:52:16.269 +ten years ago what was popular + +0:52:16.269,0:52:20.489 +like commercial in the military it was Solaris + +0:52:20.489,0:52:25.289 +so we were seeing all sorts weird traffic in +our Solaris boxes that we couldn’t account for + +0:52:25.289,0:52:27.439 +so these guys had written once we + +0:52:27.439,0:52:28.929 +started doing some + +0:52:28.929,0:52:31.199 +forensics and it wasn't the forensics of + +0:52:31.199,0:52:33.929 +pull the power cord which is what was popular +back then right + +0:52:33.929,0:52:35.319 +it was you know + +0:52:35.319,0:52:37.960 +let's take us the actually I think back then we were +doing + +0:52:37.960,0:52:40.019 +we generated a crash dump + +0:52:40.019,0:52:41.139 +and then analyzed it + +0:52:41.139,0:52:43.899 +so these guys were writing + +0:52:43.899,0:52:45.089 +memory resident + +0:52:45.089,0:52:46.289 +did not touch + +0:52:46.289,0:52:48.129 +did not touch the hard drive + +0:52:48.129,0:52:50.240 +%uh implementations where + +0:52:50.240,0:52:52.029 +they built their own + +0:52:52.029,0:52:53.639 +like hyper visor and had their own little operating + +0:52:53.639,0:52:59.469 +system on top of our Solaris +boxes that we couldn't see + +0:52:59.469,0:53:01.519 +yeah so + +0:53:01.519,0:53:04.179 +that was back then + +0:53:04.179,0:53:06.059 +right %uh + +0:53:06.059,0:53:08.489 +it’s I’ve worked on that side the defensive side + +0:53:08.489,0:53:10.929 +I’ve also worked on a not defensive side + +0:53:10.929,0:53:12.849 +I won’t say what that is but + +0:53:12.849,0:53:15.159 +%uh the stuff I saw here + +0:53:15.159,0:53:16.709 +that we were doing as contractors + +0:53:16.709,0:53:20.369 +I was I was like wow this can be done this +is really amazing so + +0:53:20.369,0:53:25.279 +most of the time if you have an imagination you +can sort of imagine what's happening + +0:53:25.279,0:53:27.579 +and if you think about it you might think well + +0:53:27.579,0:53:30.910 +we're not the only ones in the world who can do that +so there’s probably guys on the other + +0:53:30.910,0:53:31.649 +side + +0:53:31.649,0:53:34.789 +who can do it so then you have to start +looking for it + +0:53:34.789,0:53:36.729 +what you see is a progression of + +0:53:36.729,0:53:39.009 +things that happened at the very high end + +0:53:39.009,0:53:41.189 +eventually it filters down you know + +0:53:41.189,0:53:44.339 +really good rootkits used to be the province +of people who wrote them + +0:53:44.339,0:53:46.039 +but now you can buy them + +0:53:46.039,0:53:53.039 +find them share them whatever + +0:53:59.749,0:54:03.279 +sure yeah so the question is do we do any pattern analysis + +0:54:03.279,0:54:06.219 +there's nothing bad about Latvia + +0:54:06.219,0:54:07.679 +you asked a good question + +0:54:07.679,0:54:11.549 +but + +0:54:11.549,0:54:14.059 +let me put it this way + +0:54:14.059,0:54:17.089 +I'm creating that the first GE cert + +0:54:17.089,0:54:20.400 +it's 2099 but yes we just did +up our first cert + +0:54:20.400,0:54:25.559 +so we are we're not even like crawling yet +we’re like the baby on its back + +0:54:25.559,0:54:26.799 +oh look I can lift my head up + +0:54:26.799,0:54:31.879 +so we're still getting our hands around what does it +even mean to operate the cert data we have and + +0:54:31.879,0:54:32.549 +so forth + +0:54:32.549,0:54:36.649 +I would expect within the next two years we're going +been doing the kinds of things I would have + +0:54:36.649,0:54:37.579 +expected + +0:54:37.579,0:54:38.769 +you know a real + +0:54:38.769,0:54:39.649 +cert to do + +0:54:39.649,0:54:41.320 +it now includes things like + +0:54:41.320,0:54:47.279 +we know our environment so well that when we see +that box doing that that's outside the scope + +0:54:47.279,0:54:50.689 +it's one of those things where we have ideas +that are probably + +0:54:50.689,0:54:52.429 +like two years ahead of where we can implement + +0:54:52.429,0:54:53.729 +but once we do that + +0:54:53.729,0:55:00.199 +we’ll find stuff like that + +0:55:00.199,0:55:04.569 +have we gotten people to do their own what + +0:55:04.569,0:55:08.579 +so the question was I think you probably heard the question + +0:55:08.579,0:55:12.139 +we are actually collaborating with + +0:55:12.139,0:55:16.670 +%uh ICIR at Berkeley like Verne Paxon and his guys the Bro guys + +0:55:16.670,0:55:18.880 +and %uh at New York University so + +0:55:18.880,0:55:21.940 +there’s two research programs at each and +we're going to be + +0:55:21.940,0:55:23.269 +probably + +0:55:23.269,0:55:25.950 +I would guess we’re probably going to ship them data + +0:55:25.950,0:55:30.809 +because that’s what’s great about our method right we just +collect data so we can sign an NDA ship them data + +0:55:30.809,0:55:32.919 +and they can apply all their different + +0:55:32.919,0:55:34.259 +research + +0:55:34.259,0:55:36.260 +theories against it and find stuff for us + +0:55:36.260,0:55:38.299 +so yeah I’d expect some of that + +0:55:38.299,0:55:45.299 +from those guys + +0:55:49.229,0:55:54.039 +yes + +0:55:54.039,0:55:56.439 +yeah so the way I deploy is I use taps where possible +because you can’t screw it up + +0:55:56.439,0:55:59.439 +I mean you can there are certain fiber types you can +physically connect backwards + +0:55:59.439,0:56:02.349 +so just enough light will get through so the +traffic follows + +0:56:02.349,0:56:04.649 +but no light is reflected out to your sensor + +0:56:04.649,0:56:06.760 +but for the most part if you’re talking copper + +0:56:06.760,0:56:07.430 +done tap + +0:56:07.430,0:56:09.649 +it gives you your traffic + +0:56:09.649,0:56:13.350 +I even prefer that model for like IPS’s +if you have to use an IPS + +0:56:13.350,0:56:15.599 +use a bypass switch as opposed to putting it in line + +0:56:15.599,0:56:18.539 +I don't put anything in line because as soon as +you’re in line + +0:56:18.539,0:56:20.599 +what happens + +0:56:20.599,0:56:24.029 +you get blamed so I stay I’m like look I have a dum tap + +0:56:24.029,0:56:27.329 +pull the power cords it’s not going to affect the network +in the least right + +0:56:27.329,0:56:32.129 +I have my sensor my sensor could blow up in a ball of fire +and you wouldn’t even notice it + +0:56:32.129,0:56:36.609 +and all the business owners are like yes + +0:56:36.609,0:56:39.239 +but if I told them I’m putting this box in line + +0:56:39.239,0:56:40.979 +anything that happens you’re like + +0:56:42.449,0:56:44.469 +your box took down my ten million dollar an hour system +I’m going to kill you + +0:56:44.469,0:56:45.160 +so + +0:56:45.160,0:56:50.029 +I don't bother with that + +0:56:50.029,0:56:54.879 +I’ve got a good track record that’s why I’m still employed + +0:56:54.879,0:56:55.469 +so far + +0:56:55.469,0:56:57.629 +the only time I ever took something down + +0:56:57.629,0:56:59.429 +I was fully authorized to do + +0:56:59.429,0:57:00.529 +%uh we had + +0:57:00.529,0:57:01.729 +some script kitty + +0:57:01.729,0:57:03.220 +who was + +0:57:03.220,0:57:03.969 +defacing + +0:57:03.969,0:57:05.569 +web site after web site + +0:57:05.569,0:57:06.869 +we had some you know + +0:57:06.869,0:57:09.380 +Microsoft IS 4 0 websites back in the +air force + +0:57:09.380,0:57:10.839 +and he was dialing in getting + +0:57:10.839,0:57:13.789 +a new IP defacing the website + +0:57:13.789,0:57:16.260 +disconnecting dialing in so he had a new IP + +0:57:16.260,0:57:19.590 +so we had all our admins trying to block these IPs + +0:57:19.590,0:57:20.339 +and we’re like this isn’t working + +0:57:23.069,0:57:24.959 +stupid stupid defensive policies + +0:57:24.959,0:57:29.620 +this is all like at two o'clock in the morning +eastern time actually no central wherever I was + +0:57:29.620,0:57:30.759 +in Texas + +0:57:30.759,0:57:35.449 +and so finally I said this guy is all over the space he’s in +California he's using the UUnet + +0:57:35.449,0:57:38.170 +the Uunet blocker however they’re signing they’re signing +the IPs + +0:57:38.170,0:57:41.390 +it's just all over the place we're blocking Uunet + +0:57:41.390,0:57:43.799 +all of Uunet to the air force + +0:57:43.799,0:57:44.790 +so + +0:57:44.790,0:57:45.369 +I was like + +0:57:45.369,0:57:49.939 +execute that blocking order + +0:57:49.939,0:57:51.089 +yeah + +0:57:51.089,0:57:55.309 +I knew there was going to be hell to pay the next morning +so I the next thing I did I was I started writing + +0:57:55.309,0:58:00.729 +this is why I blocked this whatever and I had +tons of generals why did you I couldn’t check my email + +0:58:00.729,0:58:05.439 +and I got up in front of the generals and I said sir this is +why I did it I did it to protect air force assets + +0:58:05.439,0:58:09.259 +and all that so I was alright + +0:58:09.259,0:58:15.639 +yeah question + +0:58:15.639,0:58:16.719 +%um + +0:58:16.719,0:58:18.550 +yes the sensors are + +0:58:18.550,0:58:19.969 +scanned all the time + +0:58:19.969,0:58:21.669 +%uh I use them + +0:58:21.669,0:58:26.459 +the model I use with the sensors is you don't firewall +all things off like you might with a Windows + +0:58:26.459,0:58:26.959 +platform + +0:58:26.959,0:58:29.139 +you disabled things + +0:58:29.139,0:58:30.250 +I mean you traditionally you don’t turn it on + +0:58:31.819,0:58:35.139 +so I typically only expose SSH + +0:58:35.139,0:58:38.219 +the systems reach out they don’t + +0:58:38.219,0:58:40.660 +all the things you would think is what +I do + +0:58:40.660,0:58:42.140 +and of course they’re scanned + +0:58:42.140,0:58:43.909 +people try to brute force them of course + +0:58:43.909,0:58:46.179 +if I see somebody brute forcing in my sensor + +0:58:46.179,0:58:47.119 +who are you + +0:58:47.119,0:58:49.170 +because these are all internally managed + +0:58:49.170,0:58:50.450 +well who are you + +0:58:50.450,0:58:52.649 +why do you even know that this box is here + +0:58:52.649,0:58:56.229 +we're going to come and get you + +0:58:56.229,0:58:57.379 +the + +0:58:57.379,0:59:00.919 +sounds better than it is + +0:59:04.479,0:59:08.799 +we selling our fleet of black helicopters actually + +0:59:10.030,0:59:13.449 +we don't have a fleet of corporate jets +like a lot of other companies + +0:59:13.449,0:59:16.189 +we have net jets accounts + +0:59:16.189,0:59:23.189 +well I don’t but the CEO does we do have a helicopter I’ve seen it once + +0:59:23.869,0:59:26.289 +yeah the question was would + +0:59:26.289,0:59:27.469 +honey pot be of any value + +0:59:27.469,0:59:28.969 +honey pots are things that are good to run if + +0:59:28.969,0:59:32.119 +one you’re researcher or two you have a lot of time on your hands + +0:59:32.119,0:59:36.039 +because I have like a network of three hundred thousand +honey pots + +0:59:36.039,0:59:38.479 +so + +0:59:38.479,0:59:40.230 +actually it’s more like half a million now that I think about it + +0:59:40.230,0:59:43.139 +so yeah at some point + +0:59:43.139,0:59:46.959 +there’s actually two things one is yeah at some point +you could deploy some honey pots if you see them + +0:59:46.959,0:59:47.589 +scanned + +0:59:47.589,0:59:50.209 +but I have enough systems that are + +0:59:50.209,0:59:51.839 +alive or getting scanned or attacked or exploited + +0:59:51.839,0:59:54.169 +the second thing we have is + +0:59:54.169,0:59:55.510 +if you're inside our network + +0:59:55.510,0:59:59.869 +and if you try to do anything to any any network +that is not explicitly routed by us + +0:59:59.869,1:00:01.239 +you end up in a sink hole + +1:00:01.239,1:00:02.509 +so the sink hole + +1:00:02.509,1:00:04.589 +is an awesome awesome place to find + +1:00:04.589,1:00:07.389 +misconfigured systems malicious systems and +so forth + +1:00:07.389,1:00:09.040 +so I have a sink hole router + +1:00:09.040,1:00:11.210 +and before that I had a sensor that watches that traffic + +1:00:11.210,1:00:13.709 +so the sink hole routers are a great + +1:00:13.709,1:00:14.999 +indicator + +1:00:14.999,1:00:17.509 +source of indicators + +1:00:17.509,1:00:20.849 +it also keeps a lot of load off of our firewalls + +1:00:20.849,1:00:27.289 +so you can’t scan Google from inside GE as +for example it goes straight into the sinkhole + +1:00:27.289,1:00:29.740 +I know Capitol One does that as well + +1:00:29.740,1:00:32.109 +that's it’s a good trick + +1:00:32.109,1:00:34.199 +any other questions + +1:00:34.199,1:00:34.739 +okay thank you very much. |